PCI-DSS Compliance

What is PCI-DSS?

If you are a merchant who accepts credit and debit card payments, you are responsible for securely storing, processing, and transmitting cardholder data.

The PCI Data Security Standard (PCI DSS) is developed and maintained by the PCI Security Standards Council. The Council designed PCI DSS requirements to protect merchants and their customers from breaches that could negatively affect their business, finances, and reputation.

All businesses that process credit card transactions must not only adhere to PCI compliance requirements, but also certify their PCI compliance annually.

How to be PCI Compliant

To become PCI DSS compliant, your business needs to implement and maintain a series of requirements that create a secure payments environment. This protects your customers and maintains privacy for their payment card data.

The size of your business and the number and type of transactions you complete each year determines the level of compliance you must maintain. There are four levels of PCI compliance. In general, merchants fall into the following categories based on the amount of transactions (and type) they process annually.

• Level 1: Over 6 million card transactions per year
• Level 2: Between 1-6 million card transactions per year
• Level 3: Between 20,000 to 1 million card transactions per year
• Level 4: Fewer than 20,000 card transactions per year

How you process your transactions is also important. There are different compliance requirements based on how you process transactions:

• Card-not-present (mail order/telephone order) transactions
• Online (eCommerce) transactions
• Card-present (Point of Sale/using a swipe device on a mobile phone or tablet) transactions
• Or a combination of the three.

To protect your business against payment data theft, you first have to understand how you take payments in your store or shop. What kind of equipment do you use, who are your bank and technology vendor partners, and how do these things all fit together.

Meeting PCI Compliance Requirements

PCI DSS version 3.0 consists of six core principles, supported by 12 accompanying requirements, and more than 200 specific procedures for compliance. These are the requirements for most low-volume merchants (Level 4 merchants):

• Principle 1: Build and maintain a secure network:
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.
• Principle 2: Protect cardholder data:
  • Requirement 3: Protect stored cardholder data.
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks.
• Principle 3: Maintain a vulnerability management program:
  • Requirement 5: Use and regularly update antivirus software.
  • Requirement 6: Develop and maintain secure systems and applications.
• Principle 4: Implement strong access control measures:
  • Requirement 7: Restrict access to cardholder data by business need-to-know.
  • Requirement 8: Assign a unique ID to each person who has computer access.
  • Requirement 9: Restrict physical access to cardholder data.
• Principle 5: Regularly monitor and test networks:
  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processes.
• Principle 6: Maintain an information security policy:
  • Requirement 12: Maintain a policy that addresses information security.

Low-volume merchants may use the short Self-Assessment Questionnaire A, also known as “SAQ-A”, if your business processes transactions by phone, mail, or via the web. If you process retail transactions, SAQ-B is the survey you would use.

For higher volume merchants (Level 1 or Level 2 merchants), a quarterly scan of your systems is also required. There are many services that can perform these scans for you at a cost.

Penalties for non-compliance are charged by the payment card brands. Penalties include not being allowed to process credit card transactions, fines up to $25,000 per month for minor violations, and fines up to $500,000 for violations that result in actual lost or stolen financial data.

PCI Compliance for Card-Not-Present Transactions

With EMV Chip technology securing card-present transactions, criminals are increasingly looking to exploit card-not-present channels such as mail order/telephone order and e-commerce. Because telephone-based payments now represent an area of opportunity for fraud, entities need to properly evaluate and protect their telephone-based payment environments.

Protecting Telephone-Based Payment Card Data, published by the PCI Standard Security Council, explores the potential risks and security challenges associated with telephone-based card payment environments. It also provides guidance to help merchants with telephone-based payment card environments understand the complexities of their environment, including the impact that different technologies and implementations may have. For example, many merchants using VoIP in their telephone environment may not be aware of the impact this may have to their scope and the methods used to secure payment card data.

Reduce the Scope of PCI DSS Requirements with P2PE 

Point-to-Point Encryption (P2PE) is designed to encrypt cardholder data at the time of swipe point-of-interaction (POI) utilizing an encryption key that is built into the POI. Once encrypted, sensitive cardholder data is not decrypted until it arrives at the secure end point, typically the acquirer, processor or gateway. By using P2PE, account data is unreadable until reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. By encrypting cardholder data at the POI, merchants can significantly reduce the risk of a data breach.

P2PE is one of the best methods a merchant can use to protect their customers, themselves and prevent credit card breach. In return, merchants using these validated solutions receive a sizable reduction in both the size of their cardholder data environment (CDE) and the number of PCI DSS requirements that apply to them.

More Resources:

To more about P2PE in detail, download our whitepaper, “Impact of PCI P2PE on PCI DSS Compliance & Scope Reduction”

or learn about the value of PCI P2PE payment in this P2PE YouTube video.