How To Ensure Your Software Company Is PCI Compliant (+ downloadable checklist package)
With the average cost of a data breach increasing year-over-year, combined with the potential for reputational and brand damage as a result of data theft, it has never been more important to secure the cardholder data of your customers.
The Payment Card Industry Data Security Standard (PCI DSS) ensures that both merchants and service providers safely and securely process payment data. If you don’t know where to start with PCI compliance, read on to discover the ways your software company can ensure requirements are met - in addition to downloading our PCI compliance checklist which will guide you along the process.
Why is PCI compliance important?
As technology continues to evolve, offering all of us a number of different ways to make payments for products and services, the risk to organizations and consumers increases at a similar rate.
According to a 2018 study by IBM and Ponemon, data breaches are becoming increasingly common, with a 6.4% increase in breaches compared to 2017. In terms of cost, the United States suffers the highest per capita cost at $233 per stolen record.
Breaches can occur for a number of reasons, for example, as a result of the inadvertent transmission of cardholder data across public networks, or hackers deliberately targeting credit card information.
By ensuring your business processes and software environments are PCI compliant, you can ensure that you are meeting stringent security requirements outlined in the official guidance. This provides you - and your customers - with additional confidence that credit and debit card data will not be at risk of unauthorized access.
Legally, there is no obligation to comply with the PCI requirements; however, the financial and reputational impact of losing or exposing sensitive data has never been more severe, especially in a competitive space such as cloud-based software.
How to get started with PCI compliance
Although becoming PCI compliant is an effective (and necessary) way to protect cardholder data, it can sometimes appear to be a daunting and complex process.
The official PCI DSS website has a number of helpful resources to assist businesses with questions regarding compliance.
The first step in your PCI journey is to identify if your company is classified as a service provider or merchant. This is important to know as your compliance requirements will vary.
If your company sells software, POS or other technical solution that processes credit or debit cards on behalf of your customer base, your business will be considered a service provider.
Your business will be defined as a merchant if you are the direct entity that accepts payment cards belonging to any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) in exchange for goods and services.
Requirements for service providers
There are two compliance levels for service providers. Each level of criteria is based on the transactional volume processed across your business’s software, POS and technical offering over a twelve-month period, as shown below:
- Service Provider Level 1 - stores, transmits or processes greater than 300,000 per year
- Service Provider Level 2 - stores, transmits or processes less than 300,000 per year
Service Provider Level 1 - Providers in this category must be validated onsite by a qualified Quality Security Assessor (QSA), as well as demonstrate compliance via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). They’re also responsible for successfully passing a quarterly network scan by an Approved Scan Vendor (ASV) and must complete the attestation of compliance form.
Service Provider Level 2 - Qualifying providers do not need to be validated onsite by a QSA but are required to provide an annual self-assessment with SAQ-D and still need to complete the remaining points to show compliance.
Requirements for merchants
Merchants will fall into one of the following PCI requirement levels based on transaction volume processed over a twelve-month period, as shown below:
- Level 1 - merchant processes over 6 million transactions per year
- Level 2 - merchant processes between 1 and 6 million transactions per year
- Level 3 - merchant processes between 20,000 and 1 million transactions per year
- Level 4 - merchant processes less than 20,000 transactions per year
Level 1 is the most complex merchant level due to the volume of transactions. Merchants in this category must be validated by a qualified Quality Security Assessor (QSA), as well as demonstrate compliance via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).
Merchants at Levels 2, 3 or 4 do not need to be validated by a QSA, but still need to complete the remaining points to show compliance.
The next steps
Once you’ve established your service provider level, you then need to press ahead with checking that your organization is fulfilling the security criteria as outlined in the PCI DSS requirements.
To help your company navigate this process, CardConnect has produced a downloadable PCI compliance kit for the differing levels of compliance.
In the downloadable pack, you will find:
- PCI Compliance FAQs: some of the most commonly asked questions regarding PCI compliance are answered in this document.
- Useful PCI Compliance Resources: a list of useful websites, guides and resources for your navigation through PCI compliance.
- PCI Compliance Progress Tracker: a tracking spreadsheet to help guide your business through the PCI compliance process. The progress tracker covers all aspects of the process, including step-by-step instructions to ensure a security policy is in place for your organization; physical access to data is restricted, and anti-virus software and information security procedures are regularly maintained.
To download the PCI compliance pack, please complete the short form below. You will then receive the pack directly to your inbox.