POS Nation Merchant Services

“PCI compliance” is shorthand for the processes required to meet the payment and data security standards established by the Payment Card Industry Security Standards Council. This organization, founded in 2006 by five of the major global payment brands (American Express, Discover, JCB International, MasterCard and Visa), provides detailed guidelines on all aspects of payment card security for merchants and payment service providers, along with resources including self-assessment tools, tutorials, and lists of approved providers.

If you accept, transmit, or store credit cards, then PCI compliance applies to your company.

Your business can still accept credit cards if you are not compliant, however, your risk greatly increases.

Credit card and payment system data breaches in retail have been big news recently, and if your business is unlucky enough to make the headlines, the negative effects can be difficult and long-lasting. Re-establishing customers’ trust in your business is usually far more expensive than doing everything possible to prevent data breaches in the first place.

While PCI compliance is not in itself an airtight guarantee of payment data security, it does cover many of the most common scenarios, significantly mitigating your loss potential. In essence, operating a modern-day POS system without being PCI compliant is like driving a car without insurance — there’s no problem until there’s an accident. Then the results can be anything from inconvenient to catastrophic.

In addition, data breaches carry real-world costs. Figures will vary depending on the size of your business, but they can run to:

1. Forensic investigation of your POS system: $10,000 to $20,000
2. Reimbursements for purchases made using stolen cards (often, but not always, covered by card issuers)
3. Replacing stolen credit cards: $20 to $30 per card
4. Fines for non-compliance with PCI standards: Up to $500,000 with VISA and up to $200,000 with MasterCard

The best way to determine if your business is compliant is to complete the PCI DDS Self-Assessment Questionnaire (SAQ). There's a lot of resources online to assist with this, including the Council's website.

Yes. As of January 2020, Windows 7 is no longer supported by Microsoft. Because of this, the operating system lacks current security patches and is increasingly vulnerable to breaches. If you are processing credit cards on a machine running Windows 7, you are not PCI compliant.

Yes. As of April 2014, Windows XP is no longer supported by Microsoft. Because of this, the operating system lacks current security patches and is increasingly vulnerable to breaches. If you are processing credit cards on a machine running Windows XP, you are not PCI compliant.

There are twelve basic steps you can take to protect yourself.

BUILD AND MAINTAIN A SECURE NETWORK
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PROTECT CARDHOLDER DATA
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

IMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

REGULARLY MONITOR AND TEST NETWORKS
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

MAINTAIN AN INFORMATION SECURITY POLICY
Requirement 12: Maintain a policy that addresses information security

Perhaps the most important question — but yes, all of our software and hardware ships out PCI compliant. Although ongoing compliance is determined by our customers, we position every merchant to succeed and remain compliant.

Remember that PCI compliance is not a one-time event, but an ongoing process. Hackers and cybercriminals are constantly looking for new weaknesses in payment systems and networks, and while the biggest retailers make the news, small businesses are by no means immune.

The PCI DSS [Data Security Standard] outlines three broad steps in ongoing PCI compliance:

I. Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.

II. Remediate: Fix vulnerabilities and do not store cardholder data unless you need it.

III. Report: Compile and submit required remediation validation records (if applicable) and submit compliance reports to the acquiring bank and card brands you do business with.

Several other websites dedicated to PCI compliance exist such as PCI Compliance Guide and NDB Advisory.