What is PCI? The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Small businesses, from e-commerce merchants to service providers, all need to ask themselves the same question when they are in the process of opening up a business: do I need PCI compliance? Determining if you need to comply is only the first small obstacle. After that comes the hard work involved in meeting all the PCI compliance requirements. In today’s article, we will learn why it’s very important for every business to be PCI compliant. Let’s take a look at a few PCI DSS FAQs so that we can get a better understanding of them.
Is PCI Compliance mandatory for my business? The answer is yes, any business that processes, handles, or stores credit card data on behalf of a merchant is required to be PCI DSS Compliant. Sure, it’s an obligation, but it also unlocks new opportunities for your organization to grow and succeed.
Are there any penalties for non-compliance? The answer is yes payment brands may, at their discretion, find an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
Is PCI Compliance beneficial to my business? Compliance being mandatory shouldn’t be the only reason or motivator for you to make sure that you’ve built up a robust PCI data security posture. Keep in mind that making sure that your customers’ credit card information is always protected comes with several benefits, including enabling your business to:
- Work with payments processors to create a new online marketplace, helping grow revenues
- Save time and money so you can bring your products and services to market faster
- Show your customers that you take their data security seriously, therefore have taken the appropriate steps to keep it safe and secure.
- Minimize the risk of being impacted by a potential sensitive data breach
Is PCI Compliance required for a small business? PCI compliance is required for organizations of all sizes, including small businesses. Small businesses need to be PCI compliant if it plans to collect, transmit, or store PCI data (credit card and cardholder data) no exceptions.
Are there any PCI DSS requirements? The answer is yes, there are 12 requirements which are a set of security controls that businesses are required to implement to protect credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS). Here is the list of said requirements:
- Install and maintain a firewall configuration to protect cardholder data: this ensures that service providers and merchants maintain a secure network through the proper configuration of a firewall as well as routers if applicable.
- Do not use vendor-supplied defaults for system passwords and other security parameters: this focuses on hardening your organization’s systems such as servers, network devices, applications, firewalls, wireless access points, etc.
- Protect stored cardholder data: this one is the most important requirement, you must first know all the data you are going to store along with its location and retention period.
- Encrypt transmission of cardholder data across open, public networks: this one is also an important requirement, it’s to secure the card data when it is transmitted over an open or public network (e.g. internet, Bluetooth, etc.).You must know where you are going to send/receive the card data to/from. Majorly, the card data is transmitted to the payment gateway, processor, etc. for processing transactions.
- Use and regularly update anti-virus software or programs: This requirement focuses on protection against all types of malware that can affect systems. Ensure that anti-virus mechanisms are always active, using the latest signatures, and generating auditable logs.
- Develop and maintain secure systems and applications: It is important to define and implement a process that allows to identify and classify the risk of security vulnerabilities in the PCI DSS environment through reliable external sources.
- Restrict access to cardholder data by business need to know: This requirement is all about role-based access control, which grants access to card data and systems on a need-to-know basis.
- Assign a unique ID to each person with computer access: Every authorized user must have a unique identifier and passwords must be adequately complex. This is to ensure that whenever someone accesses cardholder data, that activity can be traced to a known user and accountability can be maintained.
- Restrict physical access to cardholder data: This one focuses on the protection of physical access to systems with cardholder data. And it requires the use of video cameras/electronic access control to monitor entry and exit doors of physical locations such as data centers.
- Track and monitor all access to network resources and cardholder data: This requirement requires that all the systems must have the correct audit policy set and send the logs to a centralized Syslog server. Audit data must be secured, and such data must be maintained for a year.
- Regularly test security systems and processes: This one requires that all systems and processes be tested frequently, to ensure that security is maintained. And file monitoring is a necessity, too. Make sure you perform file comparisons each week to detect changes that may have otherwise gone unnoticed.
- Maintain a policy that addresses information security for all personnel: Last but not least this final requirement of PCI compliance is dedicated to the core PCI DSS goal, it is important to implement and maintain an information security policy for all employees and other relevant parties.
I hope this article has been helpful and informative. Our main goal at ABPay is to provide our clients with the best solution for their business needs. ABPay is always ready and available to guide business owners in the right direction. Our equipment and software meet PCI Compliance for all business sizes. For more information don’t hesitate to contact us.