PCI Compliance: Everything You Need to Know
PCI DSS: An Overview
The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) meet the required levels of security when they store, process and transmit cardholder data.
Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.
There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network.
Data can be stolen from many areas, including but not limited to:
Identifying where your company’s weaknesses are when it comes to the protection of sensitive cardholder information, and securing how your business processes payments is paramount.
What do I need to do to become PCI Compliant?
There are various levels of PCI compliance which depend on the amount of payments your business processes each year (12 month period). There is one component that remains necessary across the board, which is that a business should really achieve 100% PCI compliance and maintain it, in order to keep the data of themselves and their customers safe.
Each of the five major credit card members of the PCI SSC have their own data security standards. Below is a simplified, general breakdown of potential PCI DSS requirements:
PCI requirements depend on which level is applicable to your business. Each level will require merchants to complete the relevant PCI DSS Self Assessment Questionnaire (SAQ), provide evidence that the merchant has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and complete and submit the Attestation of Compliance (AOC) to your acquirer.
If you would like any clarification on the information here, please visit the PCI Security Standards Council’s website.
What Happens if I’m Not PCI compliant?
As previously mentioned, being PCI compliant is not required by the law, however, you could incur major damage to your business, its reputation, brand image and a multitude of fines if your customers' data is breached. In the long term, it will cost your business a lot less to comply with PCI DSS requirements.
The State of PCI DSS Compliance
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), there have been over 53,000 incidents and 2,216 confirmed data breaches. In 2017, Verizon reported that the state of PCI DSS compliance was continuing on an upward trend, seeing growth of 44.3% since 2012. However, 44.6% of businesses still failed to pass an interim PCI CSS validation in 2016:
In 2017, SecurityMetrics predicted that data breaches and attacks from hackers were likely to ‘follow similar trends from the latter half of 2016,’ referring to companies such as Yahoo, who notoriously fell victim to a series of attacks in which the personal information of millions was compromised.
SecurityMetrics forensic takeaways from 2016:
CardConnect’s Point-to-Point Encryption and Tokenization
CardConnect can provide merchants with solutions that help to reduce PCI audit scope, with PCI-validated point-to-point encryption (P2PE) which is applied in both retail (card-present) and call center (card-not-present) transactions.
It’s part of the CardSecure solutions.
CardSecure's P2PE solution is designed to provide businesses with the highest degree of payment security and greatly reduce the scope of PCI DSS compliance requirements.
Check out an overview of how a typical transaction works below:
PCI DSS Compliance FAQ’s
Q: What is the PCI DSS?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI SSC, an independent organization that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
Q: How do I get PCI compliant?
A: Merchants getting started with PCI compliance can find a wealth of information on the PCI Council website and download the PCI Council's Getting Started Guide and Quick Reference Guide. To learn what a merchant's specific compliance requirements are, the PCI Council recommends the merchant check directly with the card brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc., Visa Europe.
Q: To whom does PCI compliance apply?
A: PCI compliance applies to ANY organization or merchant (includes international merchants/organizations), regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Q: Is a merchant obligated to be PCI compliant?
A: PCI compliance is not a law. The PCI standards were created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach occur. The time and effort put into maintaining PCI compliance far outweighs the consequences of non-compliance.
Q: What are the levels of PCI compliance?
A: There are 4 levels of PCI compliance which are based on the number of transactions a merchant processes annually:
- Level 1: required if a merchant processes 6 million+ transactions annually
- Level 2: required if a merchant processes between 1 and 6 million transactions annually
- Level 3: required if a merchant processes between 20,000 and 1 million transactions annually
- Level 4: required if a merchant processes less than 20,000 transactions annually
Q: How often is PCI DSS validation required?
A: Validation requirements vary depending on the number of transactions processed annually and the payment card brand.Merchants who are level 2, 3 or 4 must demonstrate compliance annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Merchants who are Level 1 must be validated by a qualified Quality Security Assessor (QSA). Compliance requires establishing and maintaining a PCI program that incorporates appropriate business policies, procedures and technologies to ensure ongoing compliance through continuous protection of payment card data.
Q: What are the requirements to be in compliance with the PCI Data Security Standard?
A: The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It’s comprised of 12 general requirements designed to: build and maintain a secure network; protect cardholder data; ensure the maintenance of vulnerability management programs; implement strong access control measures; regularly monitor and test networks; and ensure the maintenance of information security policies.
Q: Which Self Assessment Questionnaire (SAQ) must be completed by a merchant?
A: The PCI DSS SAQ Instructions and Guidelines information provides a summary of the different SAQs and the types of environments that each SAQ is intended for. Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment. Additional SAQs may apply depending on how the merchant is conducting business. For more information please visit the PCI Council website.
Q: How does CardConnect help minimize PCI scope within a merchant environment?
A: CardConnect provides cardholder data tokenization. A token replaces the cardholder data that a merchant needs to store when handling transactions. The token is used when submitting the transaction to the payment processor. Since the token is not card data, the merchant can store the token and reduce the PCI scope of the system storing the token. Merchants with e-commerce sites can also reduce their PCI scope by making use of the available CardConnect tokenization solutions.
Q: If a merchant only accepts credit cards over the phone, does PCI compliance still apply to the merchant?
A: Yes. All businesses that store, process or transmit payment cardholder data must be PCI compliant.
Q: What are the penalties for failure to comply with PCI DSS?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on to their merchants. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
Q: What is a vulnerability scan?
A: A vulnerability scan checks a merchant or service provider’s systems for security vulnerabilities. It is a tool that will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks are generally performed.
Q: How often does a merchant have to have a vulnerability scan?
A: Once every 90 days. Merchants requiring a vulnerability scan are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as Security Metrics.
Q: Do organizations using third-party processors like CardConnect have to be PCI compliant?
A: Yes. Using CardConnect services does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI DSS.
Q: Is CardConnect a PCI compliant Gateway Service Provider?
A: Yes. CardConnect is a PCI compliant Gateway. Every year, CardConnect engages in rigorous PCI DSS process to review and re-assess all data security measures. As a result of the process, a ROC (Report of Compliance) is generated. A yearly Attestation of Compliance (AOC) document is available upon request.
Q: Who is required to fill out a PCI SAQ document?
A: Any merchant handling credit card transactions is required to fill out a specific PCI SAQ document based on the nature of the cardholder data process in place. To determine which SAQ corresponds to a merchant, please visit our SAQ document summary section.
P2PE Frequently Asked Questions
Q: What is P2PE?
A: Point-to-point encryption (P2PE) cryptographically protects account data from the point at which a merchant accepts the payment card through the entire lifecycle of the transaction. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. Merchants using PCI-validated P2PE solutions also have fewer applicable PCI DSS requirements, which helps simplify compliance efforts. CardConnect's P2PE solution is validated by the PCI Council as one of few companies qualified to offer the solution. Click here to see the PCI Council’s list of validated solutions, including CardConnect’s.
Q: What are the benefits of P2PE?
A: A P2PE solution:
- Makes account data unreadable by unauthorized parties and protects customer data and therefore a company's reputation
- “De-values” account data because it can’t be decrypted even if stolen
- Simplifies compliance with PCI DSS requirements
- Reduces the P2PE Self-Assessment Questionnaire to only 26 requirements
Q: Who can use SAQ P2PE-HW?
A: SAQ P2PE-HW is intended for SAQ-eligible merchants, who process cardholder data only via approved payment terminals as part of a Council-listed P2PE solution. Merchants wishing to use SAQ P2PE-HW must confirm that they:
- Are using a P2PE solution that is listed on the PCI SSC’s List of Validated P2PE Solutions
- Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the P2PE solution
- Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems
- Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Q: How does CardConnect reduce the PCI audit scope of an Independent Software Vendor?
A: An Independent Software vendor who provides software solutions to merchants processing credit cards, can remove their respective application from PCI scope as long as their solution is integrated with CardConnect's P2PE solution.
For more information on how CardConnect can help you with PCI compliance, fill out the form below and we'll connect you with our support teams.