PCI Compliance

Your business couldn’t function without credit card sales. They are the lifeblood of your cash flow. 

Accepting credit card payments also means you must remain PCI compliant. 

PCI, or more formally PCI DSS, stands for Payment Card Industry Data Security Standard. These standards pertain to any entity accepting or processing payment cards.

PCI DSS compliance may seem challenging, but much less so than a hack into your business data. PCI compliance can help you avoid that kind of disaster. 

The bottom line is that hackers are always looking for inroads into data, so constant security upgrades are a must.

What is PCI Compliance?  

Accepting credit cards offers many marketplace advantages, but there’s a significant downside. 

Credit cards attract criminals like a magnet. 

The five major credit card companies – Visa, MasterCard, American Express, Discover, and the Japan-based JCB – knew something had to be done to stem huge losses because of fraud. The result was PCI.

PCI DSS 1.0 formally emerged in 2004, created by the major credit card companies. 

While credit card fraud had existed since the dawn of the industry, the beginning of online commerce in the 1990s caused the problem to skyrocket. 

Once e-commerce came into everyday use, the ability to defraud credit card companies increased exponentially. Credit card companies had to create standards to prevent breaches. 

In the nearly two decades since then, any business accepting credit card payments has to become PCI compliant.

Keep in mind that while the card brands (Visa and MasterCard, for example) made PCI mandatory, the liability lands on every other entity in the payment processing cycle. 

PCI compliance means securing every aspect of cardholder data from the POS and the entire payment processing system. 

PCI standards apply to:

• Card readers
• POS systems
• Merchant networks and wireless access routers
• Credit card data transmission and storage
• Online payments
• Shopping carts

Credit card companies enacted PCI standards for internet commerce purposes, but they also apply to the storage of paper credit card receipts.

PCI Compliance History

The second version of PCI DSS made its debut in 2006. 

This update required merchants to add firewalls to their sites for additional security and review every online application. 

This was also the time when the credit card companies established the PCI Security Standards Council (PCI SSC) to administer standards in the future. 

This independent body monitors threats and addresses them via PCI security enhancement and the training of security professionals.

October 2008 saw the release of PCI DSS 1.2, which required antivirus software and wireless network protection for compliance. 

In October 2010, PCI SSC 2.0 permitted merchants additional time to become compliant by changing its update schedule from two to three years. 

The release of PCI DSS 2.0 did not include the major changes found in earlier updates. It coincided with a report by Verizon detailing the difficulties of “meeting and maintaining” PCI DSS compliance for companies.

PCI DSS 3 debuted in January 2015. This version addressed the specific problems merchants continued to encounter, including:

• Weak passwords
• Third-party security issues
• Increase in education and awareness 
• Slow malware programs 

PCI DSS 3 also emphasized “security as a shared responsibility,” recognizing that different components of a business may bear certain responsibilities for network or system security. 

As a result, annual penetration tests were needed to verify operational effectiveness. 

Another aspect of PCI DSS involves regular physical inspection by the merchant of all POS devices in order to detect tampering. This includes cameras, skimming devices, and other tools of the hacker to collect sensitive data. 

The 3.0 version requires antivirus software to run on all computers 24/7. This is not mandatory for merchants that outsource all payments to a third-party processor. 

There are four levels to PCI compliance, based on annual total transaction volume. As your business increases in revenue, credit card companies require higher security levels. 

For instance, the first level applies to any merchant that processes over 6 million transactions annually. However, any merchant falling victim to a major data breach compromising customer accounts must comply with Level 1 standards. 

 As of January 31, 2017, all small businesses – Level 4 merchants – had to validate PCI compliance. Level 4 merchants are those processing less than 20,000 e-commerce transactions per year, or retail businesses processing less than 1 million transactions annually.

Such sellers also had to provide QIR certification for Visa if using third-party companies for tech support and installation. Only single-use terminals with no internet connection were excluded.

12 PCI Compliance Components

There are 12 PCI compliance requirements. They focus on network security and maintenance and keeping all cardholder data safe. 

Although these requirements apply to all levels, exactly how a business must comply depends on its PCI Self-Assessment Questionnaire (PCI SAQ). The PCI SAQ standards vary according to level. 

The rules are straightforward, but exactly how the merchant interacts with PCI compliance regulations varies according to their PCI SAQs status. 

There are nine PCI SAQs, and the merchant chooses the category for their business based on the criteria. 

Here are the basics:

1. Install a firewall – All merchants and service providers must maintain a secure network with proper firewall configuration.
2. No use of vendor-supplied passwords – Change the passwords for the operating systems supplied by the vendors. Add additional security measures, such as two-factor authentication. Change any default settings in apps, plug-ins, etc.
3. Keep stored cardholder data secured – Although it is third on the requirement list, it’s the primary PCI compliance component. The security of any cardholder data stored includes the storage location and retention period.   
4. Encrypt cardholder data transmission over open networks – Data transmitted over public networks is especially vulnerable to cybercriminals. Always know where you are sending and receiving cardholder data.
5. Use antivirus software or programs to avoid malware attacks – This antivirus software or program requires regular updating. It is necessary for all systems and devices.
6. Create secure applications and systems – Define, develop and maintain secure applications and systems and subject them to vulnerability management to identify weaknesses in the system, evaluate risk level, and fix them.
7. Limit cardholder data access – Only those entities that must have cardholder data should have accessibility. This falls under PCI’s “need-to-know” standard. Maintain a list of all users and their role in accessing cardholder data.
8. Assign a unique ID to everyone with computer access – Any authorized user must have their own identifier and password. Any questionable activity is then traceable to that user.
9. Limit physical access to cardholder data – Restrict physical access to any systems housing cardholder data. Without such limitations, someone could enter the data center and steal or destroy cardholder data and devices. This involves installing security cameras.

Merchants must keep all logs and records for 90 days and protect all portable media until it is no longer needed. At that point, the merchant must dismantle it.

10. Monitor and track all access to network resources and cardholder data – Cybercriminals seek vulnerabilities in networks. By using system activity logs or similar mechanisms regularly, it is possible to thwart cyberattacks. Should the system become compromised, such tracking can determine the cause.
11. Test security systems and processes regularly – Test frequently to ensure security maintenance. Conduct a wireless analyzer scan, internal vulnerability scan, and PCI Approved Scanning Vendor test at least quarterly. Application penetration tests and network penetration tests are necessary annually. If there is any major change to the external IP or domains, conduct the application and network penetration tests promptly. On a weekly basis, perform file monitoring.
12. Establish and maintain a strong security policy for all personnel – Develop a robust security policy for all employees and contractors. Make sure all relevant parties receive it. PCI compliance is not limited to those in the IT department. Conduct a yearly risk assessment to identify vulnerabilities and threats.

All employees must have background checks. This requirement includes user awareness training and incident management. Training courses ensure employees understand not only PCI compliance requirements, but what to do when encountering a potential security issue.

Data Breach Dangers

As a business owner, educating yourself on the effects a data breach could have on your company is critical. 

According to the Verizon Data Breach Investigations Report, a whopping 85 percent of breaches involved the human element. Thirty-six percent involve phishing, an 11 percent increase in 2020 over 2019. 

Ransomware is a growing threat. While just 10 percent of breaches related to ransomware, that is double the amount from the previous year.  

Should a data breach occur, several areas of your business could suffer negative effects. However, being a PCI compliant merchant and using a PCI compliant payment processor can significantly reduce your chances of a breach.

In the event a data breach occurs, expect to face upset clients who want answers and help that you may not have. It’s likely these unhappy clients will discontinue service with you. 

The odds are good they will spread the word far and wide that your business was at fault. Obviously, this can spiral out of control quickly. 

Your brand not only takes a tremendous hit from this data breach, but that hit could prove fatal.

Penalties for Non-Compliance

On top of your company’s reputation taking a big hit, if you are not PCI compliant, you’ll face many fines and fees. 

Visa, Mastercard, and their associated Member Banks impose those fees, and they can range anywhere from $5,000–$500,000. 

Other expenses include forensic audits, replacement card costs, and possible business investigations.

To make matters much worse, you will most likely face some serious lawsuits and litigation expenses. Everyone will want to pinpoint blame somewhere, and if you haven’t followed PCI protocol, it will be easiest to rest that blame on you as the business owner.

To put the financial risk in perspective, look at the hit the victims of the biggest PCI compliance breaches have taken. 

For instance, the Equifax breach affected 45 percent of the U.S. population. The settlement has cost $425 million to date. The deadline for those filing a claim for fraud or identity theft is not until January 2024.

How to Ensure PCI Compliance

There are a million things to do when you own a small business. It’s easy for data security to get pushed to the back burner.  

But with everything at stake, it’s crucial for your business to become and remain PCI compliant. 

One of the easiest ways to do that is to choose a credit card processing company (like Easy Pay Direct) that is also PCI compliant and can walk you through that process. 

Protect your clients, protect your business, and protect yourself.

Protecting cardholder information is imperative not only for us here at Easy Pay Direct, but for the businesses and merchants we work with. 

We want to work together to ensure we are protecting our consumers to the best of our ability so they can instill their trust in us. It is also extremely important that we protect this sensitive cardholder information in order to remain compliant with PCI-DDS mandates.

To do so, we want to remind business owners not to allow any sensitive card information to find its way into emails (or other communication) containing full credit card numbers (PAN) or security codes (CVV2, CAV2, CID, etc.). 

Please do not disclose these numbers in any communication you are sending or receiving (even to us as your credit card processor). 

It may also be beneficial to remind your customers of this to protect your business from penalties and fines from the credit card associations in the event of a data breach.

If you find it necessary to send and share cardholder information (to receive help, etc.), please remember to do so using the following sensitive format:

Jane Smith

Card #: xxxx-xxxx-xxxx-3456

Expiration: xx-xxxx

Security Code: xxx

At Easy Pay Direct, we know that protecting sensitive cardholder information and staying compliant with industry regulations is vital to keeping your business protected. 

Should you have further questions, please contact us at 800.805.4949.