Interested in saving time and having a secure website? Learn what Concrete CMS can do for you.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created to ensure that companies that store and process credit card information maintain a safe environment and protect the data they are entrusted with. The PCI DSS is managed and administered by the PCI Security Standards Council (PCI SSC). This independent body was launched in September 2006 to improve account security by American Express, Discover, JCB, MasterCard, and Visa.
Credit card processing falls under consumer protection, it is the Federal Trade Commission (FTC) that is responsible for its oversight. And while there is no proper regulatory mandate to enforce the PCI, court precedent has made its compliance mandatory.
By now, PCI compliance has become a core component of security protocols for most, if not all, credit card companies, which mandate and discuss its details and application during credit card network agreements.
The PCI Standards Council develops and asserts PCI compliance standards, which apply to merchant processing and outline requirements for encrypted internet transactions. There are still other key entities associated with setting the standard practices in the credit card industry, such as the National Automated Clearing House (NACHA) and The Card Association Network.
PCI Standard Practices
PCI compliance standards’ primary goal is to ensure that cardholders’ financial account information remains safe and reduces the likelihood of theft, fraudulent use, or identity fraud. This is done by placing requirements on merchants and businesses to handle such information in the most secure manner possible.
To be ‘PCI compliant’ is to adhere to the set of guidelines put forth by the PCI Standards Council – these are known as the Payment Card Industry Data Security Standards (PCI DSS). They outline six primary objectives and are divided into 12 essential requirements, subdivided into 78 more base requirements, and ensured through the implementation of over 400 test procedures. The three main strategies for PCI DSS compliance are:
- Ensuring that sensitive financial information is collected and transmitted as securely as possible by handling the ingress of credit card data from customers procedurally.
- Making efforts in the secure storing of said data (examples are outlined through the 12 domains of the PCI standard, which include ongoing monitoring, encryption, and security testing of access to card data).
- Consistent annual tests to ensure that the required security controls are in place and efficient. They are laid out as third-party audits, questionnaires, forms, and external vulnerability scanning services.
Depending on business models, some companies won’t need to handle sensitive credit card data directly, while others will. Such companies may need to adhere to more than 300+ security controls in PCI DSS. Even if the data is only traversing the company’s servers for a short amount of time, it is still required to implement and maintain an up-to-date security infrastructure (including software and hardware).
However, if a company does not need to handle sensitive credit card data itself, the burden of added complexity, cost, and risk are alleviated. Instead, third party solutions (like Stripe Elements) can securely receive and store the data, which would never have to touch the company’s server. In this case, the organization would only need to adhere to a set of 22 security controls, some of which are just straight-forward directives like using strong passwords.
Any organization that handles or stores credit card data will need to define its cardholder data environment (CDE). The PCI DSS defines the CDE as “the people, processes, and technologies that store, process, or transmit credit card data—or any system connected to it.” The key is to properly segment the business environment to limit the scope of PCI validation to the payment environment only. This is important considering that all 300+ of the PCI DSS security requirements apply to the CDE. If the organization doesn’t properly use granular segmentation to contain the CDE’s scope, these security controls would have to apply to every device, laptop, and system in the entire corporate network… Which sounds like a lot more work, time, and resources.
Regardless of the efforts put into accepting, transmitting, or handling credit card data, companies must undergo annual PCI validations. Several factors will decide whether PCI compliance is validated.
Here are three particular scenarios that could justify an organization being asked to prove its PCI compliance:
- It may be requested by payment processors to comply with their own required reporting to the payment card brands
- You may need it as a prerequisite for possible business partners before entering into partnership or agreements
- Platform businesses may request it to ensure their customers they are handling their data security.
Validating PCI compliance may be a daunting task for new businesses. A few tools are available to make the process smoother – such as the Self-Assessment Questionnaires (SAQs) put in place by the PCI Council as subsets of all requirements. However, you’ll still have to figure out which rules apply to you and whether or not you even need to hire a PCI Council-approved auditor to verify your compliance. The fact that the PCI Council revises rules and releases updates regularly makes the whole process even more complex.
PCI DSS Levels
An easy way to understand the whole system is by mastering the four levels of compliance based on how the number of card transactions your organization handles over one year.
- Level 1 – for those processing over 6 million Visa transactions/year: You need to have an annual on-site security assessment, as well as a quarterly network vulnerability scan.
- Level 2 – for those processing between 1 and 6 million Visa transactions/year: The onsite security assessments are left at your own discretion, but you’ll need to provide an annual self-assessment questionnaire and a quarterly network vulnerability scan.
- Level 3 – for those processing 20,000 to 1 million Visa e-commerce transactions/year: You will need to provide an annual self-assessment questionnaire and a quarterly network vulnerability scan.
- Level 4 – for those processing less than 20,000 Visa e-commerce transactions/year and those processing up to 1 million Visa transactions /year: You will also need to provide a self-assessment questionnaire annually and a quarterly network vulnerability scan.
Is there a way to avoid PCI Compliance?
As you have noticed, Getting PCI compliant on your own can be a challenging task that may take weeks.
Even once you master the system, it’s worth noting that an easy way not to have to worry about it is to organize your business model, so you don’t have to save or store any cardholder data yourself. Instead, you can use a card reader or point-of-sale (POS) processor that won’t retain data on your business systems.
Trying to avoid the lengthy and expensive process, most merchants prefer to work with payment providers that can handle all the PCI issues. A second option would be to go through a payment gateway (like PayPal and Stripe).
Rest assured that PCI compliance is handled correctly and that both your and your customers’ data is safeguarded against any potential breaches, you should work with a payment provider that meets the highest PCI level, the PCI level 1 compliance standards.
Your payments will be highly secure and processed under PCI requirements with a reliable payment processor.
Whichever strategy you end up implementing, don’t forget to check your compliance and regulations at every stage of the implementation process.