What is PCI DSS Compliance?
If your company takes Credit Card payments, this article is for you.
The Credit Card/Payment Card Industry has certain compliance rules and conditions that anyone taking Credit Cards must adhere to. These rules and conditions are under "Data Security Standard (PCI DSS)" which encompasses those rules and laws. These are requirements to ensure that all merchants who process, store or transmit credit card information maintain a secure transaction environment to help prevent fraudulent charges and theft of Credit card numbers. Importantly, PCI DSS compliance protects both the merchants and their customers. The PCI DSS is administered by the independent Payment Card Industry Security Standards Council, or PCI SSC, which was created by the five major payment card brands - Visa, MasterCard, American Express, Discover and JCB International. The cards covered under this include any debit, credit or pre-paid cards branded with the association or brand logos of those five participants.
PCI Compliance has four levels depending on the size of the business and is measured by the number of credit card transactions done yearly. For Cycrest as an example, our requirement is a PCI Self-Assessment Questionnaire yearly, quarterly PCI Scans by an approved vendor, may also be required.
Why is PCI compliance important to my organization?
First and foremost PCI DSS Compliance is important because it protects your customer's data. All too frequently we hear about data breaches where hackers were able to get a hold of customer data. You would want anyone who has your credit card information to protect it well, which is why anyone taking credit cards should also do for their customers. A data breach can have a devastating affect to customer loyalty resulting in lost clients, diminished sales, fines and other fees, legal costs, termination of merchant services, and even going out of business. Small businesses are often targeted by hackers due to the likelihood of less security protocols in place. We should also say that no matter how much protection you have in place, it is still possible to become hacked, however, most PCI DSS's can help limit that amount of damage if that does occur.
What happens if I'm not PCI compliant?
Currently, there are no laws requiring PCI DSS Compliance and most often, any penalties are normally written out in your merchant contract and typically include fines and additional restrictions should a breach occur. In the case of a security breach the merchant is normally responsible for card replacement cost, forensic audits and consumer credit protection. There is also the risk of losing your merchant account, which could result in your business not being able to take credit cards for several years. Lastly, if you are not PCI Compliant, you may be paying a higher credit card rate on the cards you are taking as well as surcharges.
Why am I not PCI compliant?
There are several reasons that businesses are commonly not PCI DSS Compliant. Some of the most common include:
- Failure to maintain a proper firewall.
- Use of default or vendor supplied passwords.
- Failure to use and update anti-virus software.
- Failure to maintain proper security updates and patches on workstations and server.
- Out of date software or Operating System.
- Failure to put in Best Practices in network systems, PCs and Servers.
- Failure to fill out the self-assessments or PCI Compliance Audits.
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
|Protect Cardholder Data||3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
|Maintain a Vulnerablility
|5. Use and regularly update anti-virus software and anti-malware systems.
6. Develop and maintain secure systems and applications.
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
|Regularly Monitor and Test Networks|| 10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel.|
Options for PCI Compliance
Keep taking the fine, higher fees or surcharges. -- This is NOT recommended as it could lead to a denial of being able to take credit card payments, but it is always an option.
Separate Server -- If your network must have public access, such as when you are hosting your own e-mail or website one option would be to maintain a separate server which will store all credit card information. This server will not be accessible from outside of your network which will maintain PCI Compliance. If you are hosting your own e-mail through Microsoft Exchange you can also look at moving e-mail to the cloud.
Update Software or Operating System -- Software companies stop supporting or updating software as it ages. You will want to make sure that the hardware can support the updated software and then upgrade to a more current version. We recommend not upgrading to newly released software until it has been out for 6-12 months. By waiting to upgrade you are letting others find the bugs, which could disrupt your business.
Enlist Cycrest to do a PCI Audit for you to help you develop a plan to help get you PCI Compliant.
Lastly, regardless of which option you employ, Cycrest recommends obtaining Cyber Security Insurance as an add-on to your current office policy. This can help you pay for all the credit monitoring, notifications to card holders and other damages as a result of a breach.
Cycrest always uses best efforts to help ensure your network is safe and secure. Each credit card processor has their own requirements and processes you must follow. In addition, there are frequent changes, updates, and regulatory changes so we encourage you to always know where you stand. Cycrest can assist you with PCI Audits and Compliance items when you need us, just ask.