The day has come where you need to submit a Payment Card Industry(PCI) compliance validation. In a nutshell, the PCI standard is used to properly verify that a business is conducting payment card transactions safely and securely. What does this mean for you? Well if you are a business that allows customers to use “plastic”, then you need to be held to a PCI standard. Furthermore, there may be fees or even termination of services without the verification of PCI compliance.
There is a lot of information online about PCI compliance for businesses. When I say there is a lot of information, I mean there is a BOATLOAD! There are controversies and criticisms that that PCI compliance should even exist. There is PCI compliance directly related to penetration testing. There are even PCI compliance videos that can be found on Youtube. Sometimes it’s hard to pull answers about your compliance issues through the security technical jargon. In this short blog post, I will be attempting to make sense of it all by simplifying the regulations into key factors.
Ready… Get set… Go!
- The data that must be secured is the cardholder name, expiration date, service code, and Primary Account Number(PAN). Including conducted data and/or saved data to be used later for billing. Storing data should utilize a token system to keep the cardholder data safe. If you would like to store the cardholder data yourself, you should seek the assistance of a Qualified Security Assessor. This person will come on site to assure the stored data meets PCI DSS Specifications.
- PCI compliance has levels. The levels defined by Visa are based on transactions per year. These transactions include all forms of plastic even if transactions are strictly conducted over the phone. This also includes businesses that use third-party processors and businesses with multiple locations. These levels fluctuate from Visa to Mastercard to Discover and American Express Further, this includes HOME businesses.
- Level 1 = 6M transactions per year
- Level 2 = 1M to 6M transactions per year
- Level 3 = 20k to 1M transactions per year
- Level 4 = less than 20k transactions per year
- Vulnerability scanning is required and must be conducted by a PCI SSC Approved Scanning Vendor(ASV). These scans must be conducted every quarter/ 90 days. The completed scan report of the vulnerability scan is used to submit verification of compliance.
- The Self-Assessment Questionnaire is designed to determine how you should validate your compliance.
- SAQ A: Payments are outsourced completely / no cardholder data is saved
- SAQ A-EP: E-commerce third-party PCI service provider for payment processing / no cardholder data is stored
- SAQ B: Imprint machines & standalone dial-out payment / no cardholder data is stored
- SAQ B-IP: Internet-connected payments / No cardholder data is stored
- SAQ C: Payment application systems connected to the internet / No cardholder data is stored
- SAQ C-VT: Virtual Payment Terminals / No cardholder data is stored
- SAQ D-Merchant: Cardholder data is stored
- SAQ D-Service Provider: SAQ eligible service provider
- PCI is not technically a Federal Law. The Standard was created to securely conduct payments. Businesses not compliant to a PCI standard can be subject to fines and other costs should a breach occur.