Nothing feels more hellish for consumers and manufacturers than a data leak or spill exposing otherwise confidential information to tech-savvy criminals. Despite the best efforts of IT experts, the question of another credit card data breach has been a matter of “when” rather than “if” before now.
This threat continued to raise concerns – and in response, a panel representing the five major credit card brands (Master Card, Visa International, Discover, American Express, and JCB) setup the Payment Card Industry Data Security Standard (PCI DSS). This independent entity was established to manage the continuous improvement of the PCI DSS to ensure top-level security was maintained at every point of any transaction process.
Credit card data security is key to today’s safe shopping processes. It is no wonder more and more companies are now appreciating the importance of PCI DSS and the role it plays in modern times. In fact, PCI DSS compliance rose 44 percent only between 2012 and 2017. However, reports from Verizon revealed that more than 40 percent of merchants are yet to comply with the regulations. But do you really have to comply?
Understanding PCI DSS for your Business
As a merchant, business, institution, or entity of any sort that accepts, stores, or transmits customers’ credit card information, you are required to protect sensitive cardholder data and follow PCI DSS standards. Under PCI DSS, cardholder data is defined as the full Primary Account Number plus any of:
- Service code
- Cardholder name
- Expiration date
PCI DSS also requires that Sensitive Authentication Data be protection and this includes:
- PIN blocks
- Full magnetic stripe data
- CVV2, CAV2, CID, and CVC2
This requirement cuts applies to any transaction – regardless of its size. So long as you accept payment credit cards bearing the logo of any of the five representatives of the PCI DSS, this information applies to you. The PCI DSS aims to address six major objectives:
- A secure network through which transactions are conducted must be maintained. This involves the use of robust firewalls that can effectively manage transactions without causing unnecessary inconvenience to cardholders. Additionally, authentication data such as passwords and PINS must be subject to change by customers as they desire – they should not involve defaults as supplied by a vendor.
- Cardholder data must be protected wherever it is accepted, transmitted or stored. Vital data stored in repositories such as Social Security numbers, dates of birth, mailing address, and mothers’ maiden names must be secured against theft. In cases where cardholder information is transmitted through public networks, such data must be encrypted.
- Credit card processing systems should be protected against the nightmarish activities of hackers by constantly using updated anti-spyware, anti-virus, and other anti-malware software. All credit card applications should be free of vulnerabilities that expose transactions to exploits that could lead to theft of a cardholder’s data.
- Restrictions and control should be applied to system information access. A cardholder does not have to provide confidential information to any business unless such business can effectively carry out the transaction without any breaches.
- Networks must be frequently monitored and be subject to constant tests to ensure top-level security measures and processes are maintained, functioning optimally, and are up-to-date. For instance, only the latest definitions of software such as anti-virus and anti-spyware programs should be applied 100 percent of the time.
How Does your Business Comply with PCI Standards?
In order to ensure compliance with PCI standards, there are a series of steps every merchant must go through. This process is especially applicable to small and mid-sized businesses.
First, each merchant must complete a Self-Assessment Questionnaire (SAQ) designed to help such one determine what is required for their PCI compliance. Once the questionnaire is filled completely, some merchants will be required to complete a vulnerability scan – evidence of passing – with a PCI Approved Scanning Vendor (ASV). This part is not a requirement for every merchant, as only SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Service Provider, and SAQ D-Merchant must complete the evidence of passing.
Secondly, you are required to complete the Attestation of Compliance, and submit it along with the SAQ, and evidence of passing.
What if Your Business Does Not Comply?
Although PCI DSS is not a law, it is an industry standard regulation. Hence, merchants and companies who fail to cooperate with its standards may be subject to take responsibility for card replacement costs, costs of fines, brand damage, forensic audits, and any consequences that may arise in the event of a data breach.
Compliance with PCI DSS standards will save you the nightmare of experiencing any of these awful and complex consequences. In other words, while you may not enjoy some jail-time if you do not comply with PCI standards, you will still ride the rail, as it were.
About The Author
Mark Sands, co-founder of High Risk Merchant Account LLC, an authoritative expert in the high risk merchant services space. Mark has decades of experience in the payment industry & enjoys writing on entrepreneurial related topics.