PCI compliance is the leading industry standard for secure handling of payment card data, and is generally required for businesses accepting credit, debit or other payment cards, as well as the companies that supply them with services, software and hardware to process those payments.
The Payment Cards Industry (PCI) Security Standards Council (SSC) was formed in 2006 by five leading credit card companies, and sets security standards which provide the assurance which underpins payment processing arrangements and partnerships. For this reason, it is very common for banks to require businesses to demonstrate PCI compliance when they are handling sensitive customer payment data.
For organizations accepting and processing transactions, PCI compliance means meeting a set of technical and operational requirements for organizations of all sizes that are effective for keeping payment data safe.
Preparing to apply the data security standard
The PCI Data Security Standard (DSS) consists of 12 requirements to address six goals. To meet these requirements, begin by understanding them and why they are considered necessary to payment card data security.
Materials for understanding the requirements and how to meet them are available from the PCI SSC website and from your financial institution partner that receives payments. Service providers like Atlantic.Net, with extensive experience providing PCI-compliant ecommerce hosting, can help businesses understand what they are taking care of and what responsibilities remain with the vendor or other third parties.
The key concepts and elements which must be secured depend on the types of payment card transactions carried out by the business. Payment devices, payment applications and software, any location where data is stored, and data in transit all need to be secured for PCI compliance.
The twelve requirements of the PCI DSS
The specific measures necessary to secure these elements depend on factors such as how the businesses processes card payments and whether it accepts payments online. The PCI council identifies these quick steps as necessary for most businesses to meet PCI compliance standards.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The PCI council recommends vendors avoid storing customer payment data altogether, and several of the requirements above can be effectively dealt with by leveraging the expertise of a compliant service provider.
An important early step in preparing to secure your system for a PCI compliance assessment is “scoping,” which consists of identifying every element in your payment system and examining each place data is held, how it is transmitted, and where it is transmitted to. Scoping must be repeated before each annual assessment, in addition to ongoing security and compliance monitoring.
Preparing for Assessment
To find out what requirements apply to your business, you must first determine which PCI Merchant Level your business is, as each has different requirements. Merchant levels are determined by the number of transactions and breach history. Merchants processing fewer than one million payment card transactions annually, which have not previously suffered a payment data breach, must meet Level 3 or 4 standards.
Requirements for level 3 and 4 consist of annual completion of a self-assessment questionnaire (SAQ), a corresponding annual Attestation of Compliance, and a quarterly network scan conducted by an Approved Scan Vendor (ASV).
Businesses processing millions of payments annually or that have previously suffered a payment data breach must have either a Qualified Security Assessor or an Internal Security Assessor who is sponsored by the company to receive training and qualification from the PCI SSC.
There are different SAQs for companies performing different transactions or roles within transactions. A recent Atlantic.Net PCI Compliance blog contains information about how to determine which level and SAQ applies to your business, and details are available from the PCI council website.
The council also supplies a series of resources for small businesses, including a “Guide to Safe Payments,” a document on “Common Payment Systems,” and a list of “Questions to Ask your Vendors.”
When your payment card transaction system is secured in accordance with the applicable PCI standards, your business is ready to download and complete an SAQ.
Maintaining PCI compliance is an ongoing responsibility, requiring some elements to be checked at regular intervals, others to be constantly monitored, and any elements changed to be re-assessed.
The PCI council describes an cyclical three-step process in which compliant businesses assess, remediate, and report payment system security. In addition to the maintenance which all businesses accepting payments must perform, growing companies may change the criteria their compliance depends on, for example by adding a payment card transaction method or by crossing a threshold number of transactions.
PCI compliance is enforced by individual payment brands (the credit card companies), rather than the SSC, and they also determine penalties for infractions. They deliver those penalties to the merchant’s acquiring bank, which passes them on to the merchant. Small merchants are not always immediately fined for compliance failures, but costs from suspensions of payment processing or increased compliance requirements can be severe.
Reliable partners and service providers play a crucial role in ensuring PCI compliance is maintained. Atlantic.Net’s data centers are SSAE SOC 1 and SOC 2 (Type I and II) certified and regularly audited for security. Atlantic.Net’s team has extensive experience helping businesses with PCI-compliant hosting environments. Contact our team today to get started on a custom PCI-Compliant Hosting Solution for your business!