I’ll make a guess:
You’ve heard about PCI.
At least, I think there’s a strong probability you have, if you have a business that accepts card payments.
Since, well, you have to comply with the security standards of PCI if you accept as much as one card payment.
But if you’re starting a business, or if you’re not quite sure what this PCI really is, this article is for you.
I’ll take you through what PCI is, why it exists, how you deal with it, and what it really means to your business.
Let’s start with the basics:
PCI DSS is short for Payment Card Industry Data Security Standard and is a security standard that applies to the entire card industry. When people mention PCI, it’s most often the PCI DSS they mean.
The purpose of PCI DSS is to increase security around card payments to consumers globally by ensuring common standards for how companies process card data.
The security standard was developed by the card schemes Visa, Mastercard, American Express, JCB, and Discover.
The standard is maintained by the Payment Card Industry Security Standards Council (PCI SSC) which was founded in 2006. The PCI SSC is responsible for evolving the PCI DSS.
So far, so good.
Now, to whom does PCI DSS apply?
This one is easy, because:
PCI DSS applies to all companies that store, process, transmit or otherwise handle cardholder data.
No matter if you only process one card transaction, you have to comply with the PCI DSS.
And what does compliance with PCI DSS entail?
Well, for a high-level overview, there are 6 overall goals and 12 technical and operational requirements of PCI DSS.
Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
If you want to get more technical, you can visit the link below and find the +200 security points that complying with PCI DSS entails.
So, these 12 requirements apply to ALL businesses that somehow deal with cardholder data – and all businesses have to comply with the PCI DSS.
To document that your business complies with the PCI DSS, you have to report your compliance to your acquirer once every year. How you report your compliance differs depending on how many transactions you process per year.
Let me try to give you a quick (and a bit simplified) overview.
If you process more than 6 million transactions per year, you have to do an onsite audit once a year by a QSA to report your compliance with the PCI DSS. A QSA is a Qualified Security Assessor, which is a company that’s certified to validate companies’ compliance with PCI DSS.
If you process 1 to 6 million transactions per year, you have to fill in a so-called Self-Assessment Questionnaire (SAQ) once a year to report your compliance. Or you might have to do an onsite audit with a QSA.
If you process 20,000 to 1 million e-commerce transactions, you report compliance through the SAQ once a year. Naturally, this is the most common way that companies report their compliance, and we’ll get back to the SAQ in a minute.
If you process 0 to 1 million retail transactions per year, or 0-20,000 e-commerce transactions per year, it’s up to your acquirer to decide how you report your compliance.
All businesses, regardless of how many transactions you process per year, have to undertake quarterly network scans by an ASV (an Approved Scanning Vendor, which is a company that offers security scans of other companies). We’ll get back to this one in a minute, too.
Okay, there’s no way around it. You have to report your compliance, so your acquirer (and the card schemes) can see that you’re compliant with PCI DSS.
So how do you go about this?
How to report your compliance
We know that PCI can be an intricate affair, so we’ve tried to make it easy for you.
When you use Bambora as your acquirer, you get access to an online tool that helps you manage and report your PCI compliance.
And the best part?
Yeah, since all this PCI business wasn’t your idea, we’ve decided to give you our PCI tool free of charge.
And those quarterly networks scans by ASV’s that are mandatory for all businesses?
We’re giving them away for free, too. They’re included in the tool.
So, what does this PCI tool do?
Well, basically, it makes it easy for you to manage everything related to PCI.
Key features include:
PCI compliance manager (which guides you through the SAQ step-by-step)
Network vulnerability scans (ASV scans)
Training and education programs
The tool is user-friendly and designed to help businesses maintain their PCI compliance – and make the process easy.
With the help of our PCI tool, handling your compliance should be a walk in the park.
Now, let’s take a step back and look at what’s at risk if you don’t comply with the PCI DSS.
I’m not going to beat around the bush:
If your business is not compliant with the PCI DSS, you’re running a huge risk that might undermine the foundations of your entire business.
The PCI DSS was put in place to protect consumers and businesses globally, and if there’s a security breach, you risk being heavily fined.
The size of the fine depends on the type of the security breach, but to be sure to avoid any fines, make sure your business is compliant.
I can only urge you: Do not take the security of your business lightly.
I hope this article helped you get a better understanding of the PCI DSS regulations and how you deal with them.
You can find much more information on the official website of the PCI Security Standards Council right here: https://www.pcisecuritystandards.org/
If you have any questions at all regarding PCI DSS or our free compliance tool, get in touch with us here and we’ll be more than happy to help.