Most business owners recognize the need for a digital presence.

As consumers are becoming accustomed to increased accessibility to products and services, more and more companies are doing business online, allowing them to compete in the digital market. Every online transaction involves credit cards or cardholder information of some kind. Customers want to know that their credit card and personal information is safe and protecting that data is exactly where PCI comes into play.

Essentially, the increased protections create trust in the card brand and is, in large part, what drives the brand. If fraud and misuse of customer data occurs, consumer trust in the credit card brand diminishes. As a result, major card brands want to know that businesses are making every effort to protect customer data and solidify consumer trust in their brand.

What is PCI?

If you are involved in the eCommerce world at all, you have probably seen the term PCI. If you deal in credit card transactions, you have likely seen the entire phrase PCI DSS. This acronym stands for Payment Card Industry Data Security Standards.

PCI DDS are the rules that govern how companies manage cardholder information to ensure that consumers are protected from fraudulent practices. Originally released in 2004, these rules are set by the PCI SSC or the Payment Card Industry Security Standards Council.

PCI standards are largely driven by the major card brands (Visa, MC, AMEX, Discover, JCB). To instill a sense of security in consumers, these card brands offer a high level of protection. They make promises to cardholders regarding how consumer information will be used and managed.

Why PCI is important for your business

Now, on to the important questions. What do PCI standards mean for your business? How do they impact your business practices? PCI standards are in place to ensure that merchants meet minimum levels of security when they store, process, and transmit cardholder data. As a merchant, this means that you must ensure a certain level of security if you accept any of the major card brands as a point of sale.

The PCI SSC defines a merchant as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”

If you qualify as a merchant, you have a few options to manage your eCommerce ventures. You can:

1. Develop your own payment processing application

2. Use third-party services specifically designed for processing payment information

How you choose to process payment information will determine how deeply your business will be involved with PCI compliance. The PCI DSS standards apply to all system components included in or connected to the Cardholder Data Environment. The Cardholder Data Environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. In addition, PCI requirements encompass any system, process, or technology that is involved in or influences the CDE.

This is a broad definition. On a large level, this involves any part of your business that relates to credit card payments in any way. For example, one major company is currently looking at recording phone calls which contain any mention of cardholder information to meet PCI compliance standards.

Ultimately, if you accept credit card payments, you will be involved with PCI compliance on some level.

How your business can meet PCI compliance standards

An entire industry has risen around PCI compliance. This involves multiple sets of forms, methods, and processes. The PCI SSC has developed a system to safeguard consumer information and make sure businesses are doing what they can to protect cardholders, as well. The PCI SSC awards a designation to qualifying businesses and is an important achievement for companies operating in the eCommerce sphere.

The amount of card transactions your business conducts will determine what you have to do to achieve compliance. Businesses fall into four levels:

Merchant Level 1

Key Criteria: Conducts 6+ million transactions per year or has had a breach of customer data that compromised cardholder information

Requirements for PCI Compliance: Annual Review on Compliance, Attestation of Compliance, and network scan

Merchant Level 2

Key Criteria: Conducts 1-6 million transactions per year

Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan

Merchant Level 3

Key Criteria: Conducts 20,000-1 million transactions per year

Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan

Merchant Level 4

Key Critera: Conducts less than 20,000 transactions per year

Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan

What does all this mean? Your business needs to make all the efforts it can to protect customer data. More importantly, you must be able to show that you have made these efforts by performing the necessary assessments and submitting the appropriate documents. Here are some terms you need to know:

Annual Review on Compliance (ROC): This is for larger companies who process more than 6 million card transactions per year or for any company who has experienced compromising of consumer data

Attestation of Compliance (AOC): This form is a signed document that states that you have completed all procedures to meet compliance.

Self-Assessment Questionnaire (SAQ):The questionnaire helps merchants evaluate their level of compliance.

Qualified Security Assessor (QSA): Qualified Security Assessors are certified through the PCI SSC to perform audits of PCI compliance.

Internal Security Assessor (ISA): These individuals are internal employees who have undergone certification through the PCI SSI and are qualified to perform PCI audits.

Approved Scanning Vendor (ASV): These vendors have been approved by the PCI SSC to perform vulnerability scans to determine PCI compliance.

Cardholder Data (CHD): Cardholder Data refers to any information that can be used to gain illicit access to the funds associated with cards. Typically, this includes the account number, cardholder name, expiration date, and service code.

Sensitive Authentication Data (SAD): This is information also associated with cards, including Full Track Data, CID, and PIN numbers.

Cardholder Data Environment (CDE): The Cardholder Data Environment is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.

Once you know your Merchant Level, you will need to determine exactly what your responsibilities are when it comes to PCI compliance.

If you are a merchant who accepts or processes payment cards, you must comply with PCI-DSS. PCI DSS applies to all entities that store, process, and/or transmit cardholder data.

PCI PTS (PIN Transaction Security) applies to manufacturers of devices that are used in the protection of PIN and other cardholder information.

PCI PA (Payment Application Vendors) applies to companies that store, process, or transmit cardholder data as part of authorization or settlement. This is a set of standards for software developers that will be processing cardholder payments.

If you function as a PA-DSS, you must complete an annual renewal.

To Review: Businesses that process consumer card information must perform the following steps to achieve PCI compliance:

1. Confirm the scope of the PCI DSS assessment.

2. Perform the PCI DSS assessment of the environment.

3. Complete the applicable report for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls.

NOTE: Some portions of the ROC may be fulfilled by a third-party service provider, in which case the assessor will review the contract and the third party’s AOC.

4. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety.

5. Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation.

6. If required, perform remediation and provide an updated report.

PCI compliance is an exhaustive and somewhat overwhelming process. But, the procedures ensure that consumers and merchants can conduct secure transactions, allowing you to conduct business on a larger scale and create consumer trust in your brand.

Contact us now to learn more about PCI compliance and find out how we can help you conduct safe, secure credit card transactions.

WordPress Lightbox

Get in touch

You have Successfully Subscribed!

Find your ideal candidates

Areas of Interest

You have Successfully Subscribed!