Between a Rock and a Card Place: PCI Compliance and Your Business

As every manufacturing and distribution (M&D) business knows, e-commerce is a vital conduit for getting your products to customers. Because of the criticality of this virtual payment process, exceptionally robust security needs to be implemented to protect your customers’ information, especially their credit card data. However, without a strong security standard in place to ensure every payment card transaction is protected, cybercriminals would quickly derail the ultra-efficient e-commerce process, imperiling the purchasing ability for an untold number of customers. Thankfully, a standard has been established to provide a roadmap to securing payment card information, and it is called the Payment Card Industry Data Security Standard, commonly known as PCI DSS. However, for businesses that are not familiar with PCI DSS, its detailed requirements can be somewhat overwhelming. The following guide will help your business understand its complexities while also providing guidance for efficiently navigating the challenges of reaching and maintaining compliance.

• What is PCI DSS?
  
  • PCI DSS is a collection of security standards that were developed to ensure that businesses accepting, storing, processing or transmitting payment card information maintain a secure environment.
• Who created and administers PCI DSS?
  • The standard is administered by the Payment Card Industry Security Standards Council, an independent organization that was established by the major payment card brands (MasterCard, Visa, American Express, Discover and JCB).
• Why was PCI DSS established?
  
  • The mission of PCI DSS is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.
• Who needs to be compliant with PCI DSS?
  • Compliance is required by any business that accepts, stores, or transmits cardholder data. *Note: certain payment solutions process your transactions using their merchant ID (MID) instead of yours, and may be an exception to this rule.
• What are the benefits of being compliant with PCI DSS?
  • By meeting the standard, the risk of a cardholder data breach will be reduced. Additionally, compliance will increase additional trust with clients while enhancing your reputation for valuing data security.
• Where can I obtain a copy of the standard?
  • A copy of the latest version (3.2.1) of the PCI DSS standard can be found on the official PCI website here.
• Who enforces PCI DSS?
  • Payment brands and acquirers are responsible for enforcing compliance.
• What are the penalties for non-compliance?
  • The payment brands may penalize an acquiring bank upwards of tens of thousands per month for compliance violations, which eventually travel downstream until it hits your business. In addition to the fines, your acquiring bank can terminate your relationship or expand transaction fees.
• What do I need to do to achieve compliance?
  • Depending on the volume of transactions your business processes, it will be assigned a Merchant Level, ranging from Level 1 (these are typically larger companies with millions of transactions) to Level 4 (the vast majority of small and mid-sized businesses). Assuming your business falls into the Level 4 merchant category, the next step is to complete a self-assessment questionnaire to validate compliance on an annual basis.
• What self-assessment questionnaire (SAQ) do I need to complete for my business?
  • The appropriate SAQ is based on how you accept transactions (e.g., via your website, through a POS system, on-premise swipe devices, etc.). There are several versions of the SAQ that align to how your business handles transactions. For example, if your business has an e-commerce webpage and payments are accepted and processed from a third-party PCI-validated service provider, you would be required to complete an SAQ A. This questionnaire consists of a small number of questions and does not require scanning or penetration testing. The SAQ D, for example, covers businesses that are accepting credit card payments and subsequently electronically storing the cardholder data. This questionnaire has hundreds of additional questions and also requires quarterly scans and penetration testing.
• What type of questions are on a SAQ?
  • The questions are classified according to the 12 requirements of the data security standard. These requirements include protecting your system with firewalls, configuring passwords and settings, protecting stored cardholder data, encrypting transmission of cardholder data across open, public networks, using and regularly updating anti-virus software, regularly updating and patching systems, restricting access to cardholder data, assigning a unique ID to each person with computer access, restricting physical access to workplace and cardholder data, implementing logging and log management, conducting vulnerability scans and penetration tests, and documentation and risk assessments. Depending on the SAQ you are completing, you may not need to answer questions from each of the 12 requirements.
• What are some helpful tips during the PCI compliance process?
  • The compliance process is not a “get it and forget it” process. Once compliance is achieved, implement a plan to sustain compliance throughout the year.
  • Where possible, minimize the number of ways you process credit card transactions, and avoid ever storing cardholder data.
  • Compliance is a complete team effort and not just an IT responsibility. When developing policies and procedures, be sure to involve each department that handles cardholder data.
  • Training is essential to reducing the risk of compromise, so all applicable employees should receive guidance related to securing cardholder data.
  • Have an incident response plan in place in the event cardholder data is compromised. Knowing what steps to take after an incident will greatly expedite the response and recovery process.

To discuss how Citrin Cooperman can help your business become compliant with PCI DSS, contact Kevin Ricci at kricci@citrincooperman.com.