So how do you become PCI Compliant?
The right compliance for your business
If you’re accepting payments, you’ve already committed to being PCI DSS compliant – and to ensuring your daily processes are properly secure.
- Confirm your merchant level. The first step is to discuss and verify your merchant level with the bank or clearinghouse that handles your credit card transactions. Merchants are divided into four categories based on VISA card transaction over 12 months. Your merchant level will determine how stringent your PCI compliance programs must be.A Level 1 merchant processes over 6 million VISA transactions per year or is designated Level 1 by the VISA company.
- A Level 1 merchant processes over 6 million VISA transactions per year or is designated Level 1 by the VISA company
- A Level 2 merchant accepts between 1 and 6 million VISA transactions annually. This includes in-person and online.
- A Level 3 merchant will process between 20,000 and 1 million VISA transactions per year.
- A Level 4 merchant, considered a small merchant, takes in fewer than 20,000 VISA payments per year.
- PCI DSS requirements also apply to businesses that accept other credit cards, such as American Express, MasterCard, and Discover. VISA is used as the benchmark for establishing merchant levels.
Understand the penalties for PCI DSS violations. Businesses that are not PCI DSS compliant may be subject to fines, sanctions, and loss of privileges from the clearinghouse that processes credit card payments. If the PCI failure results in an actual loss of data, the business could face fines, higher fees, and other sanctions from banks and credit card processors.
- Businesses that are not PCI-compliant may be subject to lawsuits and governmental prosecution for failing to protect customer data.
Familiarize yourself with the best security practices. The first PCI DSS standard, implemented September 2009 (DSS v 1.2) introduced the 12 requirements that a merchant should examine in order to be PCI compliant. Depending on your merchant level, the amount of technology, training, and expertise to implement the standards will vary. For example, a network that handles 2 million transactions will be more sophisticated than a network that processes 2000.
- PCI 3.1 went into effect in June of 2015 and deals with new standards in technology and addresses vulnerabilities in common encryption programs.
- PCI compliance best practices fall into five general categories: secure network, data protection, vulnerability management, access control, monitoring, and security policy. The PCI Council has a self-assessment questionnaire to help small businesses determine compliance with the security standards.
Implementing PCI Compliance Programs
Build and maintain a secure network. For businesses, this will mean developing a relationship with a trusted contractor. Unless you are an IT professional, you should not install your own network if it will store customer data. Even an out-of-the-box system may have vulnerabilities if not installed and updated properly.
- Keep your firewalls up-to-date and operational. Do not let disable firewalls for any purpose.
- Change passwords provided by the vendor immediately. Also, implement a password program for your employees. Passwords should be changed regularly in compliance with vendor instructions. For example, passwords should be alpha-numeric-character combinations that are not dictionary words. If your vendor works on your system, you should change all passwords when it comes back online.
Protect cardholder information. If you manually process credit cards, the slips and receipts should be maintained in locked files with limited access. If cardholder information is stored in your network, it should be encrypted and protected behind the company firewalls
Create a vulnerability management program. Your system should be protected with appropriate anti-virus software. You should also have a company program that prohibits adding software, such as games, that could compromise the system.
Implement Access Control. Password access to your system should be restricted. Each employee should only have the access he needs to do his job. Explain that this protects both your employees and your customers. If there is a data breach, restricted access will narrow the possibilities and help the investigation.
- For your network, give each user and each terminal a unique ID number. In the event of a confirmed or suspected breach, your IT professionals will be able to quickly identify the entry point.
- Secure physical records that contain customer and cardholder data. Use either a card key system or a physical lock and key.
Testing and Maintaining PCI Compliance
- Monitor and test your networks. Your security program must include regular scans and tests to track and monitor the flow of customer data through your network. Your IT professional or vendor can implement tests both when the system is at low use (for example, late at night on weekends) and in real time when the system is in use.
- Maintain a log of test results. Discuss how long to maintain test records with your bank and insurance company.
Develop an Information Security Policy.
All of the steps in your PCI-compliance program must be documented in your Security Policy. This document should detail all the steps your company takes to secure customer data. For Level 1 to 3 merchants, this program may run for several volumes and integrate the employee manual.
- Level 1 to 3 merchants will likely either contract with a security professional or have dedicated staff trained in the intricacies of writing and maintaining the Information Security Policy.
- A Level 4 merchant should contact the credit card clearinghouse for advice and assistance on creating the Security Policy. If the processor doesn’t provide a program template, then you should consider contracting with a security professional to create the document. Unless you are an IT professional, it is unlikely that you will be sufficiently versed in the technical details of your system to create a PCI-compliant security policy. Once it is created, it will only need to be updated when your network is expanded or updated. Your IT contractor can provide you with the documents you need to keep your security policy up to date.
- Most of your security program will be technical in nature, as in choice of firewall and security software, as well as the testing protocols. However, you should also include sections about the process when an employee leaves the company and passwords are revoked.
- Develop a process to keep track of keys and keycards. Master keys should be as strictly regulated as high level passwords.
Assess, re-mediate, and report your PCI compliance. Once the 12 parts of the PCI best practices are implemented, you should periodically run through the PCI Council three-step review process to ensure that compliance is maintained.
- Inventory your IT systems and business processes. If anything has changed, update your security programs and vulnerability management plans.
- If you find a weakness in your system, remediate the problem. This may require new equipment or software, user training, or updating your network. IT professionals should implement these changes.
- Keep records of your actions and submit reports of your compliance efforts to your bank and credit card companies. Your reports, efforts, and insights may help another company protect customer data.
Take a look at the following video