PCI Compliance
From the world’s largest corporations to small Internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer’s payment card data secure. The size of your business will determine the specific compliance requirements that must be met. Note that enforcement of merchant compliance is managed by the individual payment brands.
The PCI DSS Council is a great resource assisting merchants through maintaining and enhancing the PCI Security Standards, providing education and training about protecting payment card data with the PCI Security Standards, and by serving as a forum for engaging with the industry on developing these standards. The FAQ section holds a wealth of information – to save yourself time, be sure to check there first when you have specific questions. https://www.pcisecuritystandards.org/faq/
Small Merchants
You must secure cardholder data to meet Payment Card Industry rules!
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
Learn how the PCI Data Security Standard can protect cardholder data and prevent theft.
Fallout from a data breach
As a small merchant, you face the potential of many negative forces from a breach of cardholder data:
- Fines and penalties
- Termination of ability to accept payment cards
- Lost confidence, so customers go to other merchants
- Lost sales
- Cost of reissuing new payment cards
- Legal costs, settlements and judgments
- Fraud losses
- Higher subsequent costs of compliance
- Going out of business
Customers worry about theft of their data.
You should worry about business fallout.
More than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005.1 Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants. If you are at fault for a security breach, business fallout can be severe:
- Fines and penalties
- Termination of ability to accept payment cards
- Lost confidence, so customers go to other merchants
- Lost sales
- Cost of reissuing new payment cards
- Legal costs, settlements and judgments
- Fraud losses
- Higher subsequent costs of compliance
- Going out of business
What data thieves are after
The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Sensitive cardholder data can be stolen from many places:
- Compromised card reader
- Paper stored in a filing cabinet
- Data in a payment system database
- Hidden camera recording entry of authentication data
- Secret tap into your store’s wireless or wired network
Defining “sensitive cardholder data”
Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected.
- Total records as of 10 Nov. 2009 is 340,102,273, according to the PrivacyRights.org
WHAT TO SECURE?
Focus on protecting cardholder data
under your control
You are responsible for protecting cardholder data at the point of sale, and as it flows into the payment system. The best step you can take is to not store any cardholder data. Compliance with the PCI standard includes protecting:
- Card readers
- Point of sale systems
- Store networks & wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
Evaluate with a Self-Assessment Questionnaire
Most small merchants can use a self-validation tool to assess their security for cardholder data. The tool includes a short list of yes-or-no questions for compliance. Click on the Self-Assessment Questionnaire number that best describes how you accept payment cards.
SAQ | How do you accept payment cards? |
---|---|
A | Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
B | Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. |
C-VT | Merchants using only web-based virtual terminals, no electronic cardholder data storage. |
C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. |
D | All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. |
HOW TO SECURE?
The PCI DSS has become a model framework for security. It has best practices representing years of experience from security experts around the world. The standard works for the biggest corporations. And it will work for you!
Quick steps to security!
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe!
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI standard. See below.
PCI: ongoing 3-step process
- Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.