PCI Compliance Doesn’t Just Protect Your Customers. It Protects You.
When it comes to thinking about how payment card security can affect your business, both positively and negatively, there’s no time like the present.
A new version of the Payment Card Industry Data Security Standard (PCI DSS) has just been released, so now is the perfect time to review precisely what Payment Card Industry (PCI) compliance actually is and why it is worth investing the time and money to do it right.
The PCI DSS is a set of requirements developed and periodically updated by the Payment Card Industry Security Standards Council (PCI SSC). These are baseline requirements for protecting cardholder data and are designed to ensure that all companies that process, store or transmit credit card information maintain a secure
The new standard, version 3.0, calls upon businesses using payment cards to take a more active role in security issues. However, in addition to providing businesses with more flexibility in satisfying certain security requirements, it also emphasizes that they need to keep both employees and customers informed about their roles in maintaining data security.
Like many such regulations, the PCI DSS provides fines for noncompliance; and these can be severe, ranging from $5,000 to $100,000 per month. For this reason alone, it is strongly suggested that a business invest in an independent consultant outside of the organization who understands the intricacies of PCI compliance and the potential effect on the business. A qualified professional can help determine where you are and what you need to do to protect both your customers and your business.
If you are wondering if payment card security applies to you, the answer is almost certainly, yes. The new PCI DSS applies to all organizations regardless of size or even the number of transactions, provided it accepts, transmits or stores any cardholder data. In fact, even if you only accept credit card payments over the phone, the regulation still applies.
What kinds of bank cards qualify? Any credit, debit or pre-paid check card bearing the logo of Visa, MasterCard, Discover, American Express or JCB falls under the PCI standards.
So then, how is compliance achieved?
This is where things can get tricky. PCI provides for five Validation Types, and the business must first discern which of the five applies under the PCI DSS. Determining your Validation Type is not necessarily as intuitive as it may seem and may require a consultation with your IT function.
Once you have determined your Validation Type, you must complete the Self-Assessment Questionnaire (SAQ) provided by PCI. There are multiple versions of this questionnaire, each dependent on various business scenarios. Each SAQ asks a series of yes/no questions about your security practices.
Next, the business must pass a vulnerability scan using a PCI SSC Approved Scanning Vendor (ASV). There are more than 130 of these, and their sole function is to validate adherence to DSS requirements by performing these kinds of scans for merchants and service providers using the Internet.
Once this step has been passed, you must complete the formal Attestation of Compliance. Just as there are five versions of the SAQ, there are five Attestations of Compliance. But once you have completed this step, you’re officially compliant.
Ultimately, you may be wondering, “Why bother?”
Millions of electronic credit card records are stolen each year, nearly all of which are the result of hackers exploiting well-known vulnerabilities in websites and other networks.
But more to the point, by helping to protect your customers, you’ll also be protecting yourself. Payment card security is a benefit to your customer, and the full effects are a positive feature of your own brand. Spend the time – and the money – to do it right.
Besides, the rules just changed. You now have a reason to start the process sooner, rather than later.
Download a PDF of this article here.