April 26, 2018
The explosion in the use of debit and credit cards is not without a downside. As more and more credit cards are provided to merchants (including nonprofit organizations), the potential that the information will be stolen also increases. Consumers expect their card information will be handled by merchants in a secure manner. When card data is stolen, consumers feel vulnerable and may stop using certain cards or buying from the merchant that failed to protect their information.
To combat the risks, the major credit card brands built a set of requirements that are designed to ensure all businesses that process, transmit and store customer credit card information keep it secure. The Payment Card Industry Data Security Standards (PCI DSS) were born.
The initiative began in 2006 when the PCI Security Standards Council and its five founding members (VISA, MasterCard, American Express, JCB and Discover) agreed to combine their respective security standards into one security standard. The council is not responsible for ensuring compliance. Instead, that responsibility remains with the credit companies.
PCI DSS contains both operational and technical standards that merchants must adhere to. It is not a law. Rather, it is a payment industry standard that merchants must comply with if they plan to process even modest volumes of credit or debit card transactions.
The standards cover all merchants that accept and process credit card transactions. However, the standards incorporate a tiered or risk-based approach to compliance. Based on the volume of credit card transactions processed per year, a merchant falls in to one of the following categories:
Level 1 merchants process six million transactions a year. Card providers reserve the right to request that any merchant, regardless of transaction volume meet level 1 requirements.
Level 2 merchants process one million to six million transactions a year.
Level 3 merchants process 20,000 to 1 million e-commerce transactions a year.
Level 4 merchants process fewer than 20,000 e-commerce transactions a year.
Annual on-site inspection is required annually for Level 1 merchants. Merchants on the second, third and fourth tiers must fill out a self-assessment questionnaire annually to validate their compliance with PCI DSS. If a merchant has a customer facing Internet protocol address, then a quarterly network scan that will assess vulnerability of the merchant’s environment is also required. Specifically, the scan will identify potential weak points within the company’s network that could be susceptible to compromise by hackers.
PCI DSS contains 6 broad requirements:
- Build and maintain a secure network;
- Protect cardholder data;
- Maintain a vulnerability management program;
- Implement access controls;
- Monitor and test networks; and
- Maintain an information security policy.
The fines for failing to protect cardholder data can range from $5,000 to $100,000 per month. The fine for noncompliance is typically assessed against the bank that has provided the company with its merchant account. It is highly probable that the bank will in turn pass the fine along to the company as well as close the merchant account.
Note: If your company only processes credit card transactions over the phone, you still must comply with the standards.
If you are starting a new business, or your business is growing and moving from one transaction tier to another, consider engaging a professional services firm with experience helping companies comply with PCI DSS. Engaging a third party can ensure that your company’s resources are not “conflicted” by assessing risk and also being responsible for remediating the risk. PCI DSS compliance typically includes 4 stages:
- Current state assessment. This asks how the company is positioned to comply with PCI DSS.
- Gap assessment and documentation. Gaps identified during the current state assessment are documented and prioritized.
- Remediate gaps identified. All of the gaps directly associated with PCI DSS compliance are resolved.
- Ongoing compliance and analysis. PCI compliance requires annual as well as quarterly assessments. As your company grows, new threats will emerge that require the deployment of new countermeasures.
PCI DSS is essentially non-negotiable for merchants if they plan to process credit and debit card transactions. Click here for more information from the PCI Security Standards Council.