PCI Compliance Requirements | Powercash21
Understanding and following the PCI compliance requirements is very important in detecting the susceptibility of a merchant to payment card data breach due to weak points in the payment card transaction processing flow.
Understanding the PCI Compliance Requirements
This is important in protecting merchants from the numerous consequences of payment card data breaches, which can prove detrimental to any business. But who has to be PCI compliant? Every e-commerce merchant accepting card payments, no matter the size of their operations, must be PCI compliant and/or use a PCI compliant payment processor to ensure that the transactions processed on their website are secure. A detailed explanation of PCI compliance requirements and related information is provided below.
What does PCI DSS stand for?
PCI DSS stands for Payment Card Industry Data Security Standards which refer to a list of standards and guidelines that must be followed by every business that accepts credit card payments. The PCI compliance requirements were created by Mastercard, Visa, American Express, and Discover to ensure that merchants use the systems and processes required to protect their business and their clientele from data breaches.
According to the PCI Security Standards Council, vulnerabilities to payment card data breach stemming from the merchant may be present across the card-processing flow, including:
- point-of-sale devices;
- mobile devices, personal computers or servers;
- wireless hotspots;
- web shopping applications;
- paper-based storage systems;
- the transmission of cardholder data to service providers;
- in remote access connections;
PCI DSS compliance requirements help the merchant protect credit card data by assessing, repairing and reporting such vulnerabilities.
There are guidelines to assist merchants in determining the required level of compliance for their business. The number of credit card transactions will determine the level of compliance that the merchant needs to comply with. Specifically, there are 4 compliance levels, with level 1 being the most demanding as it requires a lot of documents and involves a yearly assessment by a Quality Security Assessor (QSA), in addition to the annual validation requirements that apply for Levels 2,3, and 4.
Level 1 refers to merchants who process more than 6 million card transactions per year. Level 2 is for businesses who process between 1 million and 6 million card payments in a year. Level 3 refers to merchants who process 20,000 to 1 million card transactions annually, whereas level 4 compliance is for businesses who have less than 20,000 card transactions per year. The acquiring bank of the merchant can assist on what steps should be taken from the merchant’s end to gain PCI compliance.
Do I need to be PCI Compliant
If you process, store, and/or transmit credit card data then you should be a PCI compliant merchant. But is PCI compliance required in case your business only transact a small number of credit cards? Yes, the PCI Data Security Standards apply to all businesses, no matter if they handle a small or large number of transactions, as the standards are primarily designed to protect credit card data and personal information from being stolen. Data breaches can ruin a business’ reputation and lead to financial expenses for the merchant. A merchant who complies with PCI compliance requirements will eliminate the risk of fraud and enhance the trust and credibility of the business.
What is required to be considered PCI compliant
If you want to understand how to become PCI compliant and which PCI compliance requirements your business should follow then keep reading. PCI DSS consists of 12 requirements related to credit card data security with six main goals for the merchants as follows:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The number of credit card transactions you process will determine which standards apply and must be followed by your business.
The 12 PCI compliance requirements that are set in order to achieve the above goals are as follows:
Requirement 1: Installation and maintenance of hardware and software firewalls to protect cardholder data. The documentation of firewall procedures and policies is also recommended.
Requirement 2: Configuration of security settings for all devices and systems. The use of vendor-supplied defaults for usernames or system passwords can be easily breached and therefore should be avoided.
Requirement 3: Protection of stored cardholder data. This can be achieved by encrypting the card data of customers and protecting the encryption keys created. Merchants should have a data retention policy in place that their employees will understand and follow.
Requirement 4: Encryption of cardholder data when transmitted over open, public networks. Cryptography and security protocols should be used to ensure that sensitive cardholder data is protected by fraudsters during the transmission process over open and public networks.
Requirement 5: Use of up-to-date antivirus software. This will help prevent malware attacks (e.g. viruses) to your systems. The antivirus software is recommended to work constantly and updated regularly.
Requirement 6: Frequent updates of systems and applications. It is important to regularly update your systems and applications to fix any security holes. This requirement will help your company build a comprehensive vulnerability management program.
Requirement 7: Limited access to cardholder data. Access to sensitive card data should be given only to authorized personnel and on a need-to-know basis. As stated on the PCI DSS portal, need-to-know is defined as ‘when access rights are granted to only the least amount of data and privileges needed to perform a job’.
Requirement 8: Implementation of complex and unique passwords. Shared passwords should not be an option, as they increase possibilities of fraud. All users should have a unique ID that fulfills specific guidelines and that will help identify individual users if an incident happens. Extra measures, such as biometrics and smart cards, are essential in user authentication.
Requirement 9: Restriction of physical access to cardholder data. Physical access to sensitive information can increase the risk of data breaches and therefore should be avoided. Access should be given only to authorized employees that will enter the cardholder data environment using their unique ID. Based on the PCI compliance requirements, visitors should only enter an area that cardholder data is being processed, by using a physical token that expires after their visit. A visitor log is also mandatory to maintain a record of people visiting, including their name, date, company, and the details of the employee who gave them access.
Requirement 10: Tracking and monitoring of all access to network resources and cardholder data. System activity logs can be used to monitor the activities of individual users on the network. If a change in the network’s system components occurs, the user that affected the change can be identified.
Requirement 11: Regular testing of security systems and processes. This tactic will help in identifying any vulnerabilities and taking the appropriate measures to protect your company against new threats. Vulnerability scans are essential for both internal and external networks and should be performed at least quarterly.
Requirement 12: Establishment and maintenance of information security guidelines. This final PCI compliance requirement demands merchants to have a security policy that will be updated based on the ever-changing risk environment.
Merchants will have to comply with either all of the PCI compliance requirements or only a few of them, depending on the type and volume of the business’ transactions. A merchant acquirer like Powercash21 can guide you on the requirements your business needs to comply with and assist you on how to become PCI compliant. In addition, offering a PCI Level I compliant gateway means that merchants can reduce their PCI compliance scope and costs by depending on Powercash21’s top-level PCI certification for the storage of their customer's credit card payment information.
Avoid the penalties of non-compliance
One of the main consequences of not being a PCI compliant merchant is the increased risk of a data breach. As PCI compliance requirements were designed to protect sensitive information like cardholder data from being hacked, non-complying with the requirements means that the business is vulnerable to a security breach. This has a long-lasting impact on the business of a merchant. It may lead to unhappy customers who will no longer buy products or services from your company affecting your business revenue and reputation. Such a data breach and inability to comply with PCI requirements may lead up to the inability to accept payment cards, which is essential for any online merchant.
The financial consequences can be considerable. A fine of $5000 to $100,000 per month may result where PCI Compliance violations have occurred. The credit card companies, like Visa and Mastercard, will impose a fine to merchants for being non-compliant which is calculated based on the time duration they didn’t comply with the Payment Card Industry requirements, the volume of clients and transactions and the level of PCI-DSS that the business should conform to. Beyond the fine itself, when a breach occurs, investigation, remediation, and legal fees can be quite substantial.
This is why PCI compliance requirements are absolutely essential. The damage is more than purely financial, the reputation loss and likely loss of relationship with the bank is something that a small business would be unlikely to recover from.
The PCI Security Standard Council’s website provides valuable guidelines in terms of the PCI DSS Requirements and how to comply with those. It provides guidance in terms of selecting Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) as well as how to use and complete the Self-Assessment Questionnaire (SAQ) that corresponds to your business.
It is important to note that vulnerabilities to card data protection loss can extend to payment providers and acquirers so be sure to understand the level of PCI DSS compliance observed by your payment partners.