Understanding PCI DSS
Secure your business in line with industry best practices.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines to help organizations protect sensitive payment card information from theft and misuse. In 2006 Visa, MasterCard, American Express, Discover and JCB International formed the PCI Security Standards Council (SSC) and devised this set of global security requirements for all entities that accept, process, store or transmit cardholder data and authentication data. The five credit card giants have governed and updated the PCI DSS since then to expand security measures and compensate for increasing credit card fraud.
Cardholder Data vs. Authentication Data
Cardholder data includes primary account number (PAN), cardholder name, service code and expiration date. Authentication data includes full-track data (found on the payment card’s magnetic stripe or chip), PIN/PIN blocks and the verification/security codes found on the front or back of the card.
These sensitive components of credit cards have protective safeguards specified by the PCI DSS. For example, businesses are allowed to encrypt and store cardholder data if there’s a legitimate need to use it later, but they can never store authentication data after a transaction.
Does PCI Apply to My Business?
Individual payment card brands enforce PCI DSS and it applies to anyone who handles credit card information—merchants, merchant service providers, financial institutions, along with developers and manufacturers of payment processing equipment and software. Since hacking can occur almost anywhere in the card-processing system, PCI DSS is expansive and covers the many potential avenues for fraud. It provides businesses with rules to protect point-of-sale systems, mobile devices, computers, servers, wireless hotspots, ecommerce applications, payment gateways, data transmission channels and remote access connections.
For card-accepting organizations, big or small, maintaining PCI DSS compliance is an ongoing process of recognizing, repairing and reporting vulnerabilities. Keeping operations and procedures PCI-compliant is a necessary part of everyday business activities.
Assessing PCI Compliance
The first steps for a merchant to assess PCI compliance are to identify the cardholder data environment (CDE)—the people, processes and technologies that touch credit card information—and determine scope by pinpointing all the locations and channels the information passes through.
Merchants then use a self-assessment questionnaire (SAQ) to validate their level of cardholder data security. The questionnaire addresses PCI DSS requirements one by one with yes or no questions. BankCard USA has an in-house PCI-compliance team to assist you with it.
Ecommerce and IP-connected terminal merchants are required to pass quarterly vulnerability scans in addition to the SAQ. An Approved Scanning Vendor (ASV) is a PCI-approved security company that performs the vulnerability scan. We can facilitate an ASV scan for your business and, if not approved, walk you through the remediation of any vulnerable areas. However, if your card transactions do not involve a public IP address, the ASV scan is not required.
After completing the SAQ the merchant completes an Attestation of Compliance (AOC), letting everyone know the company is following industry best practices to keep credit card transactions safe from fraud.
Penalties for PCI Non-Compliance
The PCI SSC is responsible for creating and managing the PCI DSS, while payment card brands are responsible for enforcing it. It’s not a federal law, but there are lofty penalties for non-compliance. Payment card brands can fine acquiring banks thousands of dollars for PCI-compliance violations. The fine trickles down to the merchant, and the acquiring bank either increases transaction fees for that merchant or ends the relationship altogether.
Credit card fraud is increasingly rampant and technologically advanced, especially as ecommerce becomes more prevalent. Between theft, legal fees and higher subsequent costs of compliance, it can cost a business thousands to millions of dollars. But a business loses more than money when faced with a security breach. Compromised security harms an organization’s credibility and could ultimately lead to going out of business.
BankCard USA will walk you through the process of securing your business to comply with PCI DSS and, most importantly, reduce the risk of credit card fraud for you and your customers.