In order to accept credit cards online, you’ll have to get your head around the 800 pound gorilla known as PCI-DSS. Everyone has to adhere to these standards from multi-million dollar companies to mom & pop shops. This comprehensive guide to PCI compliance will help you tick all the boxes.
A Bit Of History
Payment Card Industry Data Security Standard (PCI-DSS) compliance is a set of security requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. PCI was originally created by Visa and MasterCard. In 2006, they joined with American Express, Discover and JCB to create the PCI Security Standards Council. PCI was created in response to numerous data security breaches and to protect consumers and banks from potential fraud and the costs associated with it. In recent years there have been a number of security breaches including TJX, Stratfor, Sony, and Citigroup.
What are the PCI requirements?
• Maintain A Secure Network
In the case of many online businesses, this means your web server. Most hosting companies take responsibility for ensuring the security of their networks. If you store any customer information on your computer (even just a name), then you need to make sure your network has a firewall installed and reasonable measures are in place to maintain network security.
• Protect Cardholder Data
If you store credit card data, you must protect it. Data should be encrypted with limited personnel access. When customers make a purchase from your website, the cardholder data must be encrypted with at least a 128-bit SSL certificate to meet this standard.
• Maintain a Vulnerability Management Program
Minimize vulnerability by continually updating your computer hardware, operating systems and software. Another requirement is up-to-date anti-virus software and regular virus scans.
• Implement Strong Access Control Measures
Most security breaches are done by employees. Combat this by limiting cardholder data access to those who need to use it. In addition, you must assign a unique identification for each person who does have access.
• Regularly Monitor and Test Networks
A company must undertake regular scans of security measures and processes and monitor and track network access to cardholder data. You can sign up for a security testing and auditing service, such
as McAfee’s PCI Certification software, that helps identify and fix potential security problems as they arise.
• Maintain an Information Security Policy
It’s important to have an information security policy in place to make sure all employees know and understand their responsibilities when it comes to protecting your customer’s credit card data.
What are the requirements for PCI compliance?
Depending on your transaction volume, all merchants fall into one of four levels. For Visa, the levels and requirements are:
Once you figure out your merchant level, you’ll need to determine which Self-Assessment Questionnaire (SAQ) to complete depending on how you process credit cards:
SAQ Version A –You are an eCommerce merchant or MOTO (entering into a virtual terminal) merchant and 100% of the processing, transmitting and storing of cardholder data is outsourced to a 3rd party company. For eCommerce merchants, this means that your checkout must also be provided by a 3rd party.
SAQ Version B – You are a Retail merchant that uses only standalone, dial-out terminals connected via a phone line, retain paper reports or receipts and do not store cardholder data in electronic format.
SAQ Version C – You are a MOTO (entering into a virtual terminal) merchant and 100% of the processing, transmitting and storing of cardholder data is outsourced to a 3rd party company. Your computer is isolated in a single location, and is not connected to other locations or systems within your environment. You don’t store cardholder data in electronic form and only retain paper reports or receipt copies.
SAQ Version D – You are an eCommerce merchant that either stores, processes or transmits card holder data at some part of the transaction process.
These SAQs need to be completed annually in order to meet PCI compliance standards. For Merchant Plus clients, we have consolidated the SAQs and you only need to complete sections highlighted in red here.
How do you become PCI compliant?
- Determine your merchant level and your requirements for compliance
- Complete the Self-Assessment Questionnaire (SAQ)
- Use an Approved Scanning Vendor (ASV), like McAfee, for quarterly vulnerability scans of your website/IP addresses
- Make sure you have an Information Security Policy that’s enforced
- Address any vulnerability issues immediately
- Retain all records of your SAQs, scans and security activities
What happens if you’re not compliant?
Failure to comply will incur an additional monthly fee from your credit card processor ranging from $20 to $100 per month. If cardholder data is stolen from you and you’re non-compliant, PCI fines can be as high as $500,000 per incident. Your business can also be given a “death penalty” – preventing it from accepting credit cards again.
It’s vital to keep client information secure. Failure to do so could cost your business. Merchant Plus will show you how to be PCI compliant.