Dealing with compliance issues can be confusing, but they’re an important and necessary aspect of business security. PCI compliance sets the standards and guidelines that companies like yours must use to manage personal data attached to credit cards. Although unfortunate, credit card fraud is still a prevalent issue around the world. In fact, in the United States alone, billions of dollars are lost as a result of credit card fraud every year. From Q1 2019 to Q2 2020, reports of credit card fraud spiked by 104%, according to the FTC. This isn’t simply about people getting their physical credit cards stolen, either. Most types of reported fraud involve criminals stealing personal information and opening new credit card accounts, which they then abuse. In addition to being a tragedy for all victims involved, such data breaches can be devastating for the companies who were responsible for the private customer data: damages to reputation, loss of confidence from customers, significant fines, and a potential stream of lawsuits to deal with are among the negative consequences. Being PCI compliant isn’t a guarantee that such breaches will never happen, but avoiding compliance gives cybercriminals yet another opportunity to exploit lackluster data security. This article will leave you informed about what you need to know in order to maintain PCI compliance and protect your customer’s personal payment information.
What is PCI Compliance?This topic can be a bit confusing, so we’ll begin with the basics. PCI stands for Payment Card Industry. PCI compliance refers to the standards created to make sure that the credit card industry and relevant businesses secure their private customer data (credit card numbers, addresses, etc.) in a uniform way. The Payment Card Industry Data Security Standard (PCI DSS) is a list of requirements that aim to guarantee that all companies that process, store, or transmit credit card information do so in a secure environment. For most businesses, PCI compliance is something that tends not to cross their minds. Many may mistakenly believe that, unless they’re directly handling customer payment information, they don’t need to think about compliance. But in reality, PCI compliance is much more involved and touches businesses of all kinds. There are multiple levels of compliance, and those different levels require different degrees of precaution. For instance, at a lower level, your business may interact with consumer credit card data as a third party without storing it. This includes businesses that take payment information over the phone, on your website, or whenever a customer physically swipes their card through a point of sale (POS) terminal. The requirements for compliance are generally less strict in these scenarios. But if your business were to actively store payment information in your databases, you’d have to meet more rigid compliance standards and take greater precautions. Some payment providers will take care of much of the back-end work that goes into compliance, and in those cases, your business won’t have to worry about it. However, you still have to maintain and monitor the state of your business’s compliance and report back to your merchant services provider that compliance scans are taking place. In other words, even if you’re a small business, there is a lot to consider with PCI compliance, which is why most businesses end up offloading much of this work to third-party providers or MSPs to handle these issues.
Why PCI Compliance MattersThere are three primary reasons why PCI compliance matters to your business.
- If your business handles customer payment information either directly or indirectly, your business has an obligation to maintain compliance; avoiding compliance will inevitably lead to fines. For average small businesses, these monthly fines usually range between $29–99 per month, which may not sound like much, but it can add up quickly if not attended to. If your business experiences a data breach and you’re found to be non-compliant, however, the fees could escalate to anywhere between $5,000 to $100,000 per month. Regardless, these fees can all be avoided if you maintain compliance.
- Maintaining PCI compliance is a great way to keep your data security in check, which supports your ability to operate within laws surrounding data privacy, such as the General Data Protection Regulation (GDPR) or the Gramm Leach-Bliley Act (GLBA).
- Your customer’s private payment data matters, and when you fail to maintain compliance, you’re putting their well-being at risk. Data breaches tend to be devastating for all parties involved, and it can take years for a company to repair reputational damage.
Understanding PCI SCC Data Security StandardsHere are the 12 requirements for PCI DSS Compliance:
- Your organization must install and maintain a strong firewall to protect customer payment information.
- Don’t settle with vendor-provided default security for passwords and other security parameters. Instead, upgrade to something more secure. For instance, many standard pieces of hardware like routers ship with basic login details, such as the username and password both being “admin” for the sake of convenience when you’re first setting it up—make sure you always update such details to something more secure.
- If your company absolutely must store customer payment information on your own systems, take the necessary precautions to protect those storage systems.
- All incoming and outgoing transmissions involving cardholder data must be encrypted, especially when communicating in open or public networks.
- All antivirus software or programs must be kept up-to-date.
- If your company develops systems or applications that interact with customer payment information, you must make sure said systems and applications are properly secured.
- Only allow designated parties to access electronic personal payment data.
- Similarly to requirement 7, only designated parties should be granted access to physical personal payment data.
- Each person who has computer access should be assigned a unique ID.
- All access to personal payment information should be tracked and monitored.
- Your business should run regular tests on your security systems and procedures.
- Be sure to spread awareness/understanding of your information security policies as they relate to PCI DSS compliance. Having the security policies isn’t enough—the information must be properly disseminated throughout the entire organization. A good practice is to challenge the strength of your policies annually and then revise them as necessary.
PCI Compliance LevelsThere are four levels of PCI compliance, and which level your business resides in is determined by the volume of credit card transactions per year.
- Level 1 — Your business processes over 6 million Visa and/or Mastercard transactions every year. Obviously, this is quite a bit of data to store, and the repercussions of a breach could be severe, so it’s best to have secure storage for this data and have it backed up. At this level, it’d be worth considering next-generation firewall security.
- Level 2 — Your business processes between 1 million and 6 million Visa and/or Mastercard transactions every year. Although your business is handling less data than at level 1, you should still keep a backup in case a disruptive event were to occur and threaten the data security of your organization.
- Level 3 — Your business processes between 20 thousand and 1 million Visa and/or Mastercard transactions every year. While we still recommend your business keep backups to protect cardholder information, your data storage needs will be less pronounced than in the former two tiers.
- Level 4 — Your business processes less than 20 thousand Visa or Mastercard ecommerce and transactions per year or up to 1 million total credit card transactions with either per year – and also have not suffered a breach that compromised cardholder data.
Securing Customer EmailsEmail is, by its very nature, insecure. As we’ve mentioned in our article on email security, you should never send sensitive information, such as cardholder data, through email in an unencrypted state. Instead of communicating sensitive cardholder data to your customers over email, we recommend using a secure payment platform that can store card data in a secure and PCI compliant manner. For instance, if your business has a secure application whose communications are encrypted, it’d be safer to find a way to send private payment data there than through email.
What if You’re Found to be Out of Compliance?Obviously, one of the most significant consequences of being out of compliance is the fines, which starts at around $10/month and can go up to $100,000 per month until your organization becomes compliant. A less clear problem that comes with this is that if your business is out of compliance, your company is probably lacking key infrastructures and information security programs that aren’t only useful for compliance but also for protecting your organization in general. The cost of playing catch up and adopting modern information security standards will depend on how far behind your company is. Once your company does catch up, you’ll probably need to have a qualified security assessor (QSA) perform an independent assessment, which can also cost a decent amount of money.
What Happens if Data Security is Breached?If your data security is breached, the damage could be severe. The criminals who broke through your data security will have access to your customer’s private payment information, thus exposing them to credit card fraud. If the criminals managed to breach your security, there’s little reason to believe they’d stop their looting at cardholder data, especially if your business handles other proprietary information that could be valuable. In other words: a breach puts your entire organization’s data at risk. How your company is required to respond to a data breach varies state by state, but the emergence of General Data Protection Regulation (GDPR) laws help indicate the general direction the entire data security world is headed in. For instance, the GDPR laws require your organization to report a breach to the Information Commissioner’s Office (ICO) within 72 hours after your company becomes aware of the event, but this only applies if you serve customers in the EU and or track their data. If your business only serves customers that are stateside, your deadline for reporting on your breach can be anywhere from 30–90 days, but the sooner you do it, the better. It’s understandable that circumstances may prevent you from submitting your report within that window of time, so if you take longer, you can provide justifiable reasons for doing so. The 72 hours include weekends, bank holidays, and evenings. Some details to include in your report are:
- Describe the nature of the personal data that was breached and how many people it affected. Be sure to include the type of personal data records that were compromised.
- Submit the name and contact information of your data protection officer. If your company does not have one, provide an alternative contact point where the relevant information can be acquired.
- Describe the probable impact and consequences of the data breach.
- Describe the measures your company took or proposed to take to handle the breach, the details of which you should be able to acquire from your business continuity and data recovery (BCDR) plan.
How to Achieve & Maintain PCI ComplianceWhen it comes to achieving and maintaining PCI compliance, the first step is to find a reputable payment provider to work with. There is a variety to choose from, but three of the most well-known companies include Stripe, PayPal, and Duo. Unless you intend to handle the annual system scanning and security questionnaires internally, the next step is to find a third-party company like Security Metrics or an MSP to handle those tasks for you. And finally, make sure you properly train your staff on compliance protocols and assign access to private cardholder data to designated parties. Keep in mind that as cybersecurity continues to evolve, so too will the standards for compliance. To stay ahead of these changes, be sure to monitor advances in the cybersecurity space and adjust your strategy when and where necessary. Another good practice for maintaining compliance is to keep all business and client data organized and easily accessible to designated parties in your company. You should also make it a point to understand the boundaries of your data environment for payment information. How does the data enter your system? At what point does it become secure? These are some of the questions you should be able to answer.
Following Compliance Supports Data SecurityWorking to maintain PCI compliance will help enhance your business’s security practices all around, especially if you’re working from an office or have a website. Even if your company doesn’t have private cardholder data to keep secure, conducting regular scans of your systems and website will help set the tone for how your organization protects your critical data. Maintaining PCI compliance will also help keep your company more secure since PCI compliance requirements are based on IT security best practices. In summary:
- What is PCI Compliance? — PCI compliance relates to the standards and requirements created to keep private cardholder data handled by the credit card industry and relevant businesses uniform and secure.
- Why Does PCI Compliance Matter? — It matters because if your business is found to be out of compliance, you will incur fines. Avoiding compliance also puts your customers at risk of credit card fraud. Being outside of compliance also runs the risk of your business losing its merchant services privileges.
- Following PCI Compliance Security Requirements — The PCI Security standards should be followed not only to maintain compliance but also to help keep your company’s data security systems and protocols up to date and top of mind.
- PCI Compliance Levels — There are four levels of PCI Compliance:
- Level 1 — Your business processes over 6 million Visa and or Mastercard transactions every year.
- Level 2 — Your business processes between 1 million and 6 million Visa and or Mastercard transactions every year.
- Level 3 — Your business processes between 20 thousand and 1 million Visa and or Mastercard transactions every year.
- Level 4 — Your business processes less than 20 thousand Visa and or Mastercard transactions every year.
- Following PCI Compliance Security Requirements — Communicating sensitive cardholder data over email is never advisable. Instead, it’s better to communicate via a more secure channel.
- What if Your Company Doesn’t Maintain PCI Compliance? — If your company doesn’t maintain PCI compliance, you may be fined between $10 to $100,000 per month, depending on the size of your business. You’ll also have to pay for qualified security assessments to get back into compliance.
- What Happens When Data Security is Breached? — If your security is breached, your company will have to release a report on the event within 72 hours. Your company will also have to deal with the loss of confidence from your customers and the damage to your reputation.
- Implementing and Maintaining PCI Compliance — The first step is to find a reputable payment provider to work with. The second step is to find someone to handle your regular security scans and questionnaires, which could be the payment provider you go with, a third-party, or an MSP. Lastly, make sure your staff understands the protocols and procedures around maintaining PCI compliance.