if your business is found to be out of compliance, you will incur fines. Avoiding compliance also puts your customers at risk of credit card fraud. Being outside of compliance also runs the risk of your business losing its merchant services privileges.
Here are the 12 requirements for PCI DSS Compliance:
- Your organization must install and maintain a strong firewall to protect customer payment information.
- Don’t settle with vendor-provided default security for passwords and other security parameters. Instead, upgrade to something more secure. For instance, many standard pieces of hardware like routers ship with basic login details, such as the username and password both being “admin” for the sake of convenience when you’re first setting it up—make sure you always update such details to something more secure.
- If your company absolutely must store customer payment information on your own systems, take the necessary precautions to protect those storage systems.
- All incoming and outgoing transmissions involving cardholder data must be encrypted, especially when communicating in open or public networks.
- All antivirus software or programs must be kept up-to-date.
- If your company develops systems or applications that interact with customer payment information, you must make sure said systems and applications are properly secured.
- Only allow designated parties to access electronic personal payment data.
- Similarly to requirement 7, only designated parties should be granted access to physical personal payment data.
- Each person who has computer access should be assigned a unique ID.
- All access to personal payment information should be tracked and monitored.
- Your business should run regular tests on your security systems and procedures.
- Be sure to spread awareness/understanding of your information security policies as they relate to PCI DSS compliance. Having the security policies isn’t enough—the information must be properly disseminated throughout the entire organization. A good practice is to challenge the strength of your policies annually and then revise them as necessary.
While the above standards are good to keep in mind when trying to maintain PCI compliance, it’s also important to do quarterly compliance scans that cover anywhere your business receives payment data.
So, if you accept payment from office computers, then you should scan the office network. The same goes for if you take payment data on your website or some other program that’s integrated with your billing system.
Because this process can become fairly complicated and time-consuming, many merchant services providers offer their own compliance scan services. For instance, Bank of America offers closure security.
Another great platform that helps businesses like yours with compliance scans is Security Metrics, which offers a simple and intuitive platform.
The security standards covered in this section help your company keep your data security protocols and systems top of mind, which isn’t just good for maintaining compliance, but also great for your own security in general.
PCI Compliance Levels
There are four levels of PCI compliance, and which level your business resides in is determined by the volume of credit card transactions per year.
- Level 1 — Your business processes over 6 million Visa and/or Mastercard transactions every year. Obviously, this is quite a bit of data to store, and the repercussions of a breach could be severe, so it’s best to have secure storage for this data and have it backed up. At this level, it’d be worth considering next-generation firewall security.
- Level 2 — Your business processes between 1 million and 6 million Visa and/or Mastercard transactions every year. Although your business is handling less data than at level 1, you should still keep a backup in case a disruptive event were to occur and threaten the data security of your organization.
- Level 3 — Your business processes between 20 thousand and 1 million Visa and/or Mastercard transactions every year. While we still recommend your business keep backups to protect cardholder information, your data storage needs will be less pronounced than in the former two tiers.
- Level 4 — Your business processes less than 20 thousand Visa or Mastercard ecommerce and transactions per year or up to 1 million total credit card transactions with either per year – and also have not suffered a breach that compromised cardholder data.
Securing Customer Emails
Email is, by its very nature, insecure.
As we’ve mentioned in our article on email security, you should never send sensitive information, such as cardholder data, through email in an unencrypted state.
Instead of communicating sensitive cardholder data to your customers over email, we recommend using a secure payment platform that can store card data in a secure and PCI-compliant manner.
For instance, if your business has a secure application whose communications are encrypted, it’d be safer to find a way to send private payment data there than through email.
What if You’re Found to be Out of Compliance?
Obviously, one of the most significant consequences of being out of compliance is the fines, which starts at around $10/month and can go up to $100,000 per month until your organization becomes compliant.
A less clear problem that comes with this is that if your business is out of compliance, your company is probably lacking key infrastructures and information security programs that aren’t only useful for compliance but also for protecting your organization in general.
The cost of playing catch up and adopting modern information security standards will depend on how far behind your company is.
Once your company does catch up, you’ll probably need to have a qualified security assessor (QSA) perform an independent assessment, which can also cost a decent amount of money.
Keeping Your Cardholder Data Secure
Maintaining PCI compliance is about more than just following rules and regulations.
Your customers cardholder data is confidential, and with data becoming an increasingly hot issue in the digital world, prioritizing PCI compliance will help your business thrive into the future.
As you’re no doubt aware, maintaining PCI compliance takes a lot of time and energy. It’s possible for your company to build your PCI compliance from the ground up, but that approach takes a lot of attention away from actually running your business.
It’s for this reason that many businesses rely on third-parties and MSPs like Commprise to take care of this aspect of their businesses. When you work with us, you get more than a set-it-and-forget-it experience.
We provide tailor-fit solutions and work with you to weather any storm or technological disruption that comes your way. With our IT Security and Compliance Auditing services, you’ll get a clear picture of all your IT systems, network, and data.