PCI compliance — also known as PCI DSS compliance — is a necessary part of doing business for every merchant who accepts credit cards, debit cards and EBTs (electronic benefit transfers). Knowing what PCI compliance is and how to achieve it is vital to the future of your business on a number of different levels.
On the surface, mandatory PCI compliance may seem complicated, even burdensome or intrusive on the way you run your business. But think of it this way: PCI compliance equates with security for both you and your customers. Isn’t a little effort and diligence on your part a small price to pay for peace of mind when your livelihood is at stake?
At Merchant Express®, we understand the ins and outs of PCI security compliance and are ready to help with services to ensure that your credit card processing meets all the established criteria.
PCI Compliance Basics
PCI compliance is adherence to PCI DSS, the acronym for Payment Card Industry Data Security Standards, which are administered by the Payment Card Industry Security Standards Council (PCI SSC). This independent group was established in 2006 by the five major payment card brands — Visa®, MasterCard®, Discover®, American Express® and JCB® — to manage security standards for electronic transactions. Those standards and additional information about the PCI SSC can be found on the organization’s website.
Although the PCI Security Standards Council does not impose consequences for non-compliance with its data security standards, the individual payment brands can and do impose fines and/or operational sanctions that could be disastrous for your bottom line and your reputation with acquirers, payment brands and customers. Additionally, several states already have PCI compliance laws on their books, and more are expected to follow.
The comprehensive operational and technical requirements laid out in the PCI DSS establish consistent measures for data security management, policies and procedures, network architecture and software design. Businesses and small merchants are required to process, store and transmit cardholder data (cardholder name, account number, service code and expiration date) as well as sensitive authentication data (magnetic stripe or chip data, CVV code and PINs) in compliance with these requirements so that it is kept private and secure.
Since online transaction and credit card fraud continue to be major threats to businesses, PCI compliance is crucial. That’s why it’s required of all entities with a Merchant ID (MID), from the largest Big Box stores to the smallest Mom and Pop shops and everything in between. Additionally, all “players” in the credit card payment chain must be PCI compliant, including payment service providers like Merchant Express, banks and hosting providers.
It’s important to realize that PCI compliance is an ongoing process, not a one-time event in your business life. Consider it a series of common sense, “best practices” steps that all merchants should follow as part of their security strategy. The three steps for adhering to the PCI DSS as outlined by the PCI SSC are:
- Assess by identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate by fixing vulnerabilities and not storing cardholder data unless you need it.
- Report by compiling and submitting required remediation validation records (if applicable) and submitting compliance reports to the acquiring bank and card brands with whom you do business.
PCI Compliance Requirements
Check with your payment brand or merchant account provider for the exact PCI security compliance requirements for your company or business. Merchant Express provides information about PCI compliance requirements in general only.
Understanding the basis for PCI DSS will go a long way towards dispelling any concerns you may have about the process. Fundamentally, PCI DSS establishes six basic principles based on twelve core requirements (think of them as the “Digital Dozen”):
I. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
II. Protect Cardholder Data
1. Protect cardholder data.
2. Encrypt transmission of cardholder data across open, public networks.
III. Maintain a Vulnerability Management Program
1. Use and regularly update anti-virus software.
2. Develop and maintain secure systems and applications.
IV. Implement Strong Access Control Measures
1. Restrict access to cardholder data by business need-to-know.
2. Assign a unique ID to each person with computer access.
3. Restrict physical access to cardholder data.
V. Regularly Monitor and Test Networks
1. Track and monitor all access to network resources and cardholder data.
2. Regularly test security systems and processes.
VI. Maintain an Information Security Policy
1. Establish and maintain a policy to address information security.
Small businesses — those processing less than 20,000 e-commerce transactions and less than 1 million other transactions annually — fall into this category. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).
Mid-sized companies generating between 20,000 and 1 million transactions annually require an annual risk assessment using the appropriate SAQ.
Companies at this level handle between 1 million and 6 million transactions annually. A PCI SAQ must be completed each year.
Big Box stores and other major corporations with a minimum of 6 million transactions per year must conduct an annual internal audit with a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required for businesses at all four levels.
Whatever your level, Merchant Express’s Transaction Express® can reduce your PCI burden and help you achieve and maintain compliance by enabling you to easily accept payments with maximum security. This web-based payment gateway’s secure processing platform is fully PCI compliant and ideally suited for merchants of all sizes.
Transaction Express’s features and services are designed to meet your unique needs and expectations. For example, through its Tokenization service, Transaction Express’s hosted payment page eliminates the need to store card data altogether by sending back only minimal information such as transaction and reference IDs and an authorization code.
PCI Compliance Means Security
By fully complying with PCI DSS, you significantly decrease your risk of electronic data fraud that could seriously jeopardize or damage your business brand, reputation and finances. Just one data breach can cause a cascade of lost sales, cancelled accounts, destruction of business and community relationships, high-stakes lawsuits, insurance claims, and expensive fines and sanctions by individual payment brands.
As a merchant, you know that doing business is based on trust between you and your customers. Consumers who believe their sensitive credit or debit card information is safe with you are more likely to return and to refer other business your way. PCI compliance helps establish that important level of trust and feeling of security.
Final Thoughts on PCI Compliance
Compromised electronic data negatively affects everyone involved: merchants, consumers and financial institutions. By achieving PCI compliance, you’re taking responsibility for keeping the data entrusted to you safe from fraudsters and thieves.
The protective measures outlined in PCI DSS are an investment in the global battle against electronic fraud. PCI compliance ensures safeguarded payment card data with every transaction. Isn’t that what you and your customers expect?
When you’re ready to achieve and maintain PCI compliance, Merchant Express can help. Let one of our representatives answer your questions and set you on the Transaction Express path to PCI DSS compliance.