Most business owners recognize the need for a digital presence.
As consumers are becoming accustomed to increased accessibility to products and services, more and more companies are doing business online, allowing them to compete in the digital market. Every online transaction involves credit cards or cardholder information of some kind. Customers want to know that their credit card and personal information is safe, and protecting that data is precisely where PCI comes into play.
Essentially, the increased protections create trust in the card brand and are, in large part, what drives the brand. If fraud and misuse of customer data occur, consumer trust in the credit card brand diminishes. As a result, major card brands want to know that businesses are making every effort to protect customer data and solidify consumer trust in their brand.
What is PCI (Payment Card Industry)?
If you are involved in the eCommerce world at all, you have probably seen the term PCI. If you deal in credit card transactions, you have likely seen the entire phrase PCI DSS. This acronym stands for Payment Card Industry Data Security Standards.
Why PCI is important for your business
Now, on to the critical questions. What do PCI standards mean for your business? How do they impact your business practices? PCI standards are in place to ensure that merchants meet minimum levels of security when they store, process, and transmit cardholder data. As a merchant, this means that you must provide a certain level of protection if you accept any of the major card brands as a point of sale.
The PCI SSC defines a merchant as “any entity that accepts payment cards bearing the logos of any of the five PCI SSC members (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”
If you qualify as a merchant, you have a few options to manage your eCommerce ventures. You can:
- Develop your own payment processing application
- Use third-party services specifically designed for processing payment information
How you choose to process payment information will determine how deeply your business will be involved with PCI compliance. The PCI DSS standards apply to all system components included in or connected to the Cardholder Data Environment. The Cardholder Data Environment (CDE) comprises people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. Also, PCI requirements encompass any system, process, or technology involved in or influences the CDE.
This is a broad definition. On a significant level, this involves any part of your business related to credit card payments in any way. For example, one major company is currently looking at recording phone calls that contain any mention of cardholder information to meet PCI compliance standards.
Ultimately, if you accept credit card payments, you will be involved with PCI compliance on some level.
How your business can meet PCI compliance standards
An entire industry has risen around PCI compliance. This involves multiple sets of forms, methods, and processes. The PCI SSC has developed a system to safeguard consumer information and make sure businesses are doing what they can to protect cardholders. The PCI SSC awards a designation to qualifying businesses and is an essential achievement for companies operating in the eCommerce sphere.
The number of card transactions your business conducts will determine what you have to do to achieve compliance. Enterprises fall into four levels:
Merchant Level 1
Key Criteria: Conducts 6+ million transactions per year or has had a breach of customer data that compromised cardholder information
Requirements for PCI Compliance: Annual Review on Compliance, Attestation of Compliance, and network scan
Merchant Level 2
Key Criteria: Conducts 1-6 million transactions per year
Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan
Merchant Level 3
Key Criteria: Conducts 20,000-1 million transactions per year
Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan
Merchant Level 4
Key Criteria: Conducts less than 20,000 transactions per year
Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan
What does all this mean? Your business needs to make all the efforts it can to protect customer data. More importantly, you must show that you have completed these efforts by performing the necessary assessments and submitting the appropriate documents. Here are some terms you need to know:
Annual Review on Compliance (ROC): This is for larger companies who process more than 6 million card transactions per year or for any company that has experienced compromising of consumer data
Attestation of Compliance (AOC): This form is a signed document stating that you have completed all procedures to meet compliance.
Self-Assessment Questionnaire (SAQ): The questionnaire helps merchants evaluate their level of compliance.
Qualified Security Assessor (QSA): Qualified Security Assessors are certified through the PCI SSC to perform PCI compliance audits.
Internal Security Assessor (ISA): These individuals are internal employees who have undergone certification through the PCI SSI and are qualified to perform PCI audits.
Approved Scanning Vendor (ASV): The PCI SSC has authorized these vendors to perform vulnerability scans to determine PCI compliance.
Cardholder Data (CHD): Cardholder Data refers to any information used to gain illicit access to the funds associated with cards. Typically, this includes the account number, cardholder name, expiration date, and service code.
Sensitive Authentication Data (SAD): This is also associated with cards, including Full Track Data, CID, and PINs.
Cardholder Data Environment (CDE): The Cardholder Data Environment is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.
- If you are a merchant who accepts or processes payment cards, you must comply with PCI-DSS. PCI DSS applies to all entities that store, process, and/or transmit cardholder data.
- PCI PTS (PIN Transaction Security) applies to manufacturers of devices used in the protection of PIN and other cardholder information.
- PCI PA (Payment Application Vendors) applies to companies that store, process, or transmit cardholder data as part of authorization or settlement. This is a set of standards for software developers that will be processing cardholder payments.
- If you function as a PA-DSS, you must complete an annual renewal.
To Review: Businesses that process consumer card information must perform the following steps to achieve PCI compliance:
- Confirm the scope of the PCI DSS assessment.
- Perform the PCI DSS assessment of the environment.
- Complete the applicable report for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls.
- Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety.
- Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation.
- If required, perform remediation and provide an updated report.
PCI compliance is an exhaustive and somewhat overwhelming process. The procedures ensure that consumers and merchants can conduct secure transactions, allowing you to conduct business on a larger scale and create consumer trust in your brand.