Payment Card Industry Data Security Standard

What is PCI Compliance?

“PCI Compliance” is shorthand for the processes required to meet the payment and data security standards established by the Payment Card Industry Security Standards Council. This organization, founded in 2006 by five of the major global payment brands (American Express, Discover, JCB International, MasterCard and Visa), provides detailed guidelines on all aspects of payment card security for merchants and payment service providers, along with resources including self-assessment tools, tutorials, and lists of approved providers.

Does PCI Compliance apply to my company?

Yes. If you accept, transmit, or store credit cards, then PCI Compliance applies to your company.

Can I accept credit cards if I'm not compliant?

Yes, your business can still accept credit cards if you are not compliant, however your risk greatly increases.

What's the big deal then? What happens if I'm not compliant?

Credit card and payment system data breaches in retail have been big news recently, and if your business is unlucky enough to make the headlines, the negative effects can be difficult and long-lasting. Re-establishing customers’ trust in your business is usually far more expensive than doing everything possible to prevent data breaches in the first place.

While PCI Compliance is not in itself an airtight guarantee of payment data security, it does cover many of the most common scenarios, significantly mitigating your loss potential. In essence, operating a modern-day POS system without being PCI Compliant is like driving a car without insurance: there’s no problem – until there’s an accident. Then the results can be anything from inconvenient to catastrophic.

In addition, data breaches carry real-world costs. Figures will vary depending on the size of your business, but they can run to:

  1. Forensic investigation of POS system: $10,000 to $20,000

  2. Reimbursements for purchases made using stolen cards (often, but not always, covered by card issuers)

  3. Replacing stolen credit cards: $20 to $30 per card

  4. Fines for non-compliance with PCI standards: Up to $500,000 with VISA and up to $200,000 with MasterCard

You've got my attention, how do I know if I'm PCI Compliant?

The best way to determine if your business is compliant is to complete the PCI DDS Self-Assessment Questionnaire (SAQ). There's a lot of resources online to assist with this, including the Council's website.

I'm still using Windows XP. Is this a problem?

Yes. As of April 2014, Windows XP is no longer supported by Microsoft. Because of this, the operating system lacks current securitiy patches and is increasing vulnerable to breaches. If you are processing credit cards on a machine running Windows XP, you are not PCI Compliant.

What are some basic steps I can take to ensure compliance?

As outlined in a recent blog article, there are twelve basic steps you can take to protect yourself.

BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: Maintain a policy that addresses information security

If I purchase a POS system from POS Nation, will it be PCI Compliant?

Perhaps the most important question, but yes, all of our software and hardware ships out PCI Compliant. Although ongoing compliance is determined by our customers, we position every merchant to succeed and remain compliant.

How do I stay PCI compliant?

Remember that PCI Compliance is not a one-time event but an ongoing process. Hackers and cybercriminals are constantly looking for new weaknesses in payment systems and networks, and while the biggest retailers make the news, small businesses are by no means immune.

The PCI DSS [Data Security Standard] outlines three broad steps in ongoing PCI Compliance:

I. Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.

II. Remediate: Fix vulnerabilities and do not store cardholder data unless you need it.

III. Report: Compile and submit required remediation validation records (if applicable) and submit compliance reports to the acquiring bank and card brands you do business with.

What other useful resources are out there?

Several other websites dedicated to PCI Compliance exist such as PCI Compliance Guide and NDB Advisory.