PCI Compliance – Critical for small businesses
PCI compliance is critical for small businesses. It is important for two reasons: it gets the company in line with the standards set up by the major credit and debit card brands, and it legitimately checks the security of the business’s systems. In other words, PCI compliant hosting isn’t just about following rules but about protection – especially important since three in five small businesses that get hacked are bankrupt within six months.
In order to achieve PCI compliance, here are the six basic elements:
1. Create a secure network and update your defenses as needed.
2. Keep the sensitive data of cardholders from being stolen out of storage or intercepted in transit.
3. Focus on vulnerability management with antivirus and software security.
4. Set strict access controls.
5. Scan and test your environment.
6. Prioritize and update your information security policy.
Through the Security Standards Council, Visa, MasterCard, Discover, American Express, and JCB agree to all the standards that are set forth, which basically means that you know by looking at the PCI Data Security Standard (PCI DSS) exactly what is required of you to meet the overarching security requirements of each individual card.
To validate PCI compliance, you would need to get approval from a third party that has been verified by the PCI Council, organizations called Approved Scanning Vendors, and Qualified Security Assessors.
No matter how you are handling PCI compliance, it is always smart to verify the specifics of data compliance that are set forth by each of the payment cards.
Freedom in selecting a PCI-compliant vendor
Anyone who runs a small business should keep in mind that they have resources if they need them. An owner of a small business can contact the acquiring bank of their card transactions for basic instructions on security to meet PCI compliance. The acquirer will be able to suggest materials that describe how a small business can achieve the PCI standards.
Note that the acquirer will often recommend certain PCI-compliant services. It isn’t necessary for you to use those particular services. The information on meeting guidelines is important, but the standards can be met by any provider, the compliance of which can be verified by an independent third party.
There are numerous ways to meet the Payment Card Industry standards, but here is advice for a typical small business that is exploring PCI compliance:
Choose a web host that has been audited and certified for adherence to the PCI standards.
Keep credit card data off your network if possible. If you store that information locally, that means your computer is drawn into the scope of the system that concerns the card companies.
Don’t store the card data at all by using an eCommerce platform that charges them but never stores the information.
Consider using a SIEM solution to collect security-related data from across your organization and generate reports for PCI audits. There are many entry-level and open source SIEM platforms that are easy to deploy in a small business.
The majority of small businesses will be categorized as “level 4.” The Council’s expectations of a level 4 merchant are a self-assessed questionnaire (SAQ) and a comprehensive scan of your public network that processes transactions. You must then report validation with your merchant account provider.
PCI Merchant Levels
In order for a small business to maintain compliance, it’s important to understand what’s needed at various merchant levels. The levels are determined by the amount of card activity the business is doing. Here are the specifications for each of the four levels within the guidelines of MasterCard and Visa (and as are generally reflected by the policies of JCB, American Express, and Discover).
A Level 1 merchant processes more than 6 million transactions with any of the major card brands, including both in-person and online sales. Regardless how many transactions a company processes, it may be moved to this category if it has data compromised at any point. Merchants within this category must do the following for PCI Compliance validation:
A Qualified Security Assessor must check the company and report its findings in an Annual Report on Compliance; alternately, an internal auditor can be used if one of the company’s officers authorizes it.
An Approved Scan Vendor (ASV) must scan the network each quarter.
The merchant must complete and submit an Attestation of Compliance form.
A Level 2 merchant processes 1 million to 6 million transactions per year for any of the card brands, inclusive of both brick-and-mortar and Internet sales. Merchants that qualify as Level 2 must perform the following:
A Self-Assessment Questionnaire (SAQ) is completed every 12 months.
A scan is conducted each quarter by an ASV.
The Attestation of Compliance is submitted.
A Level 3 merchant completes 20,000 to 1 million online transactions for any of the card brands throughout the year. The validation requirements for this merchant level to achieve PCI compliance are as follows:
A SAQ is completed once per year.
An ASV network scan checks the system every quarter.
An Attestation of Compliance is submitted.
A Level 4 merchant performs fewer than 20,000 transactions with any of the payment card brands during the year. This category also applies to other merchants that process as many as 1 million transactions with any of the cards per year, including online and offline sales. Validation requirements are as follows, mirroring those for Levels 2 and 3:
A self-assessment questionnaire is filled out each year.
A network scan is conducted by an ASV each quarter.
The Attestation of Compliance is submitted.
DSS –Data Security Standard
ROC –Report on Compliance
PCI –Payment Card Industry
SAQ –Self-Assessment Questionnaire
Different types of Self-Assessment Questionnaires
The PCI DSS Self-Assessment Questionnaire is a set of questions that helps to validate a merchant or service provider that does not need to complete an on-site assessment or complete a report on compliance (ROC). Instead, the SAQ allows the company to check its own compliance.
The PCI Council actually has various types of SAQ questionnaires depending on the merchant or service provider:
Questionnaire A applies to card-not-present merchants with all data activities performed by a third party.
Self Assessment Questionnaire A-EP is for ecommerce companies that have information partially outsourced, and that use an outside service for transactions.
SAQ B is for businesses that only use imprint machines or that have only standalone dial-out systems, with no storage of payment data.
Questionnaire B-IP is for companies that have standalone IP-connected PTS point of interaction (POI) machines, and that do not store any card data.
SAQ C-VT is for businesses that have their own virtual terminals deployed but do not store any payment data.
Self Assessment Questionnaire C is for firms that have their own web-connected software, but do not store any transaction data.
Questionnaire P2PE is for companies that exclusively use terminal hardware within a Point-to-Point Encryption system that is approved by the PCI Council.
SAQ D for Merchants is for any merchants that do not meet the parameters of the other SAQ types.
SAQ D for Service Providers is for service providers that meet the guidelines to complete a SAQ.
PCI compliance over time
You will note above that different expectations apply to larger vendors and to those that perform transactions in different types of settings. What that means for your company is that your requirements for compliance may change over time – so each year as you get ready to approach compliance, be sure that you are looking at the requirements for the correct category.