PCI Compliance 101
As technology advances and credit card usage increases, the threat to both cardholders and merchants of payment account theft continues to grow. Large corporations such as Home Depot, Neiman Marcus and TJ Maxx have all fallen victim to data breaches from cybertheft. These instances end up costing corporations hundreds of millions of dollars and affect the tens of millions of cardholders who used these retailers. In an attempt to prevent future attacks and protect the information of the cardholders, the PCI Security Standard Council was formed to combat this growing problem.
In 2006, the Payment Card Industry (PCI) council was created to help train and educate vendors, merchants, hardware and software manufacturers along with other financial institutions about fraud and securing customer payment card account information. Through educational material and industry-wide guidelines, PCI security standards were set in place to help combat fraud and provide safe and secure environments for customers shopping online, over the phone or in a retail locations.
Who is the Payment Card Industry?
The Payment Card Industry council, comprised of the members who are responsible for creating the Payment Card Industry Data Security Standard (PCI-DSS) are the largest payment card brands and payment card networks in the financial services industry, including:
- American Express
These members are all responsible for creating, maintaining and updating the PCI standards that vendors, merchants and financial institutions are required to abide by when handling customer card account information.
What is PCI-DSS Compliance and Why Does It Exist?
As technology has evolved and payment cards have grown to become the most common form of payment, the threat of fraud and the cost of payment card theft has also increased. In 2017 alone, over 1 million cases of payment card fraud was reported to the FTC, resulting in over $900 million worth of fraud losses by merchants, financial institutions and credit card networks.
By creating the PCI-DSS standards and requiring financial institutions to insure vendors and merchants are compliant every year, the Payment Card Industry is working to prevent some forms of credit card fraud. The goals that were set forth by the PCI council include:
- Building and Maintaining a Secure Payment Network
- Protecting Cardholder Account Information
- Maintain a Network Security Management Program
- Require Strict Access Controls by Merchants
- Regular Monitoring and Testing of Network Security
- Maintain a Policy of Security Measure for Network Users
Maintaining a Secure Network: Merchants utilizing credit card terminals, point of sale systems and/or payment gateway applications are required to maintain a firewall to strengthen the network security and lessen the threat of any security breaches. When merchants are set up with new payment card services and equipment, when an employee leaves the business or as an ongoing security precaution; merchants are required to maintain strong passwords that can not be easily guessed and are encouraged to change passwords on a regular basis.
Protecting Cardholder Data: Businesses that store cardholder data for future billing are responsible for maintaining the account information in a secure manner that prevents the possibility of theft or fraud. Account information should never be written down or stored in a physical manner, rather it should be held in a PCI Compliant location that prevents full account information from being accessible. When sending card account information online from a shopping cart through a payment gateway or through a wireless card reader, card account information is required to be encrypted to prevent any possible threats from vulnerable connections or programs.
System Management Programs: Merchants operating e commerce websites or using wifi connections to transmit payment card transactions should maintain a strong system security protocols; whether its by using a secured WiFi connection, utilizing anti virus software on a computer or maintaining a TLS/SSL certificate for e commerce websites, maintaining this high level of protection will help insure that transactions are sent through secure environments, reducing the chances of information being compromised.
Physical Access Control: One of the most common ways that cardholder account data is lost and compromised is through the physical handling of payment card information. This threat can be limited by controlling the access by employees to the cardholder information, restricting this account information to only individuals that are required to handle the cardholder data. Merchants using POS systems, using a payment gateway or virtual terminal can restrict employee access to cardholder data by implementing user accounts and controlling the permissions within those account. Merchants should never store cardholder account information in a physical form, rather utilize a secure PCI compliant storage application to retain this sensitive data.
Ongoing Testing of Networks: PCI Compliance requires merchants to perform annual, if not more frequent, testing of their systems to insure that all security protocols and programs are functioning properly. These scans are conducted through various companies, whether its sponsored by the merchant acquirer or from an outside company, demonstrating that all part of the network are fully PCI Compliant.
Maintaining Current Security Policies: Keeping employees, along with the merchants, up to date on PCI regulations and guidelines is one of the best ways to insure that the business remains compliant during the course of the year. By providing ongoing information and training, merchants can make sure that all facets of their business from their website and credit card terminals to their payment gateway and employees are fully aware and current with all aspects of the PCI-DSS regulations.
Why Does PCI Compliance matter?
The members of the Payment Card Industry came together to help create an environment for merchants and customers alike that promoted security and trust among all individuals using the payment card networks. When security is strengthened by all users, it excels the growth of the network by allowing for more customers to feel confident and use their payment cards more often while merchants will to realize more sales and larger revenues.
Without guidelines for the network access, merchants and financial institutions along with the payment card brands risk losing the trust of customers, a potential threat that could cripple the industry indefinitely, this is why PCI-DSS standards and guidelines have been established and required the compliance of merchants, vendors and financial institutions.
Non-compliance by companies can create a variety of potential costly and troublesome problems with not only the Payment Card Networks, but also a number of different industries closely associated with the financial system. Potential problems that could arise from non-compliance includes:
- Increased costs of merchant services
- Fines and penalties from the Payment Card Industry
- Termination of merchant services by the PCI
- Costs from legal judgments and any settlements
- Loss of customer trust with a business
- Decline in revenues or incomes, potential loss of job
- Closing of the business
Though some of these scenarios can appear to be extreme, the costs associated with non-compliance can become tremendous if a theft or fraud does occur due to a merchant’s inaction to become or maintain compliance.
Who Needs to be PCI Compliant?
Any business or company that has access, provides a payment service or builds hardware to accept payments is required to follow the PCI guidelines for compliance. These businesses include, but are not limited to:
- Merchants; including all employees regardless of their industry
- Financial institutions; including merchant acquirers and payment service providers
- Manufacturers of credit card terminals and POS systems
- Payment gateway service providers
- Web hosting companies providing e Commerce hosting services
- Online shopping cart services
- e Wallet service providers
Some of these businesses might not directly handle payment card transactions, but the security protocols and services they provide that are used by merchants should at minimum reach the standards set forth by the Payment Card Industry.
How do Merchants become PCI Compliant?
PCI Compliance for smaller companies can be accomplished through self assessments that are provided online by the merchant acquirers. Answering a series of questions as to the practices and methods of payment card acceptance, the merchant acquirer can determine if the business is operating in a way that limits their potential for payment card fraud. Some of the questions that are asked of merchants during their PCI Compliance scan are:
- If anti-virus security software is used on their computer systems
- If the merchant uses a firewall to prevent remote access to their computer systems
- The strength of the passwords and the frequency of which they are changed
- The type of software they using on their computers
- The name of their payment gateway service
- The name of other security services providers (SSL
- The types of credit card terminals (if they accept EMV chip cards)
- The practices of employees for accepting payments ( mail order, phone order and in store)
- How card account information is stored for future billing purposes
Merchants that are located in throughout the world are required to maintain their PCI Compliance, while the level of compliance and the dates that compliance is required by might vary, the program does exist throughout the world where payment card transactions are accepted.
Merchants are classified as one of a 4 levels depending on the amount of transactions per year that they are processing through their networks. Larger merchants require additional security measures than small merchant. The levels of PCI Compliance are determined by the following:
- Level 1 – More than 6,000,000 transactions annually
- Level 2 – Between 1,000,000 and 5,999,999 transactions annually
- Level 3 – Between 20,000 and 999,999 transactions annually
- Level 4 – Less than 20,000 transactions annually
Level 1 merchants are required to do the annual self assessment questionnaire along with an annual onsite audit conducted by a certified security assessor. Merchants in levels 2 – 4 are required to complete a yearly self assessment questionnaire and partake in a remote scan of their merchant hardware and software.
Who Checks that Companies are PCI Compliant?
Level 1 merchants along with third party payment processors that are connected to VisaNet and MasterCard are required to participate in yearly onsite audits of their software, hardware and procedures. Level 2-4 merchants have remote scans available to them to audit their business in a rather quick and simple process, some annual audits can be finished in under 10 minutes.
Onsite PCI DSS compliance audits are administered by Qualified Security Assessors (QSA) that are located throughout the world, servicing various regions, countries and markets. With well over 100 different companies throughout the world that are recognized as qualified by the Payment Card Industry as authorized assessors, merchants and payment processors can rather quickly find an assessor to audit their company.
Questions about PCI Compliance for Adult Merchants
Merchants and other companies operating in the adult industry that have any questions or concerns about their current PCI Compliance or about becoming PCI Compliant can contact one of our adult merchant account professionals at Adult Merchant Services. Our team will be happy to speak with any merchants and help direct them in the right direction.