PCI Compliance is a combination of processes, procedures and rules which are designed for the protection of cardholder data. This includes information such as credit/debit card numbers plus other personally identifiable information (PII). The Payment Card Industry Security Standards Council have defined the PCI Compliance standards along with what is expected in terms of security controls to ensure that this PII is not lost, misplaced or stolen by cybercriminals.
The Council consists of American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Together they form the Payment Card Industry Security Standards Council.
Why Should I undergo PCI Compliance?
Aside from protecting your customers’ data, there are other benefits to PCI Compliance:
- You’ll likely reduce your chances of being breached, as nearly all data breaches occur due to a lack of compliance with PCI Standards.
- You’ll improve your reputation and customer confidence.
- You might be eligible for lower insurance premiums.
What if I fail a PCI Audit?
There are a few organisations that provide PCI Compliance Assessments. The most widely used being Qualys, Inc., Trustwave and Verizon Business. An assessment is used to check the level of compliance with the twelve key security controls as defined by PCI Standards. It’s conducted by an independent party and can cover single or multiple locations (such as stores).
If you fail, your processing bank will provide a “remediation” program which details what must be done to rectify the situation. This can include steps such as hiring an information security consultant or contracting a managed security service provider. If the above steps are not followed then your acquiring bank could terminate your merchant account.
If you fail an assessment, your acquiring bank may ask you to sign a “hold harmless” agreement, meaning they will not be liable for any damages as a result of the assessment failing.
What if I want to store credit card details?
It has been quite common in the past for organisations to store credit card details. This is no longer the case as it’s now a requirement to destroy all credit card information once the transaction has been processed. PCI DSS 2.0 section 3.4 specifically mentions that “the PAN (primary account number) must not be stored after authorization (either positive or negative) has been received”.
If you decide to store some information such as name and address, then this must be stored separately from the credit card number.
What if I’m a retailer and don’t handle cardholder data myself?
A retailer who doesn’t process cards themselves is still responsible for PCI Compliance; it’s just that all the responsibility will fall on your Point-of-Sale (POS) provider. This is because the retailer is still considered a “conduit” for cardholder data.
What are my obligations if I have a processor?
If you’re using a payment processor, then they will be responsible for PCI Compliance. As the retailer, your main responsibility will be to ensure that your POS provider is PCI Compliant.
What are the twelve key payment card security controls?
The following information comes from the PCI Security Standards Council website:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data,
- Implement strong access control measures
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Store cardholder data securely
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Regularly test security systems and processes
- Maintain a policy that addresses information security.
You can find out more about each of these twelve controls on the PCI Security Standards Council website.