Compliance is one of those words that send chills down the spine, inspiring nightmares that involve blood-thirsty lawyers, courtrooms and large amounts of money.
Handling customer credit card data is a serious responsibility with some attending requirements that are well worth understanding, but it needs not be all that scary for small retailers.
The Payment Card Industry (PCI) compliance regulation affects almost all merchants that accept credit and debit card payments, with the goal of securing cardholders against vulnerabilities to card data theft, misuse or loss.
The driving forces behind PCI compliance policies are the major credit card payment processors — Visa, MasterCard, American Express, Discover Card and JCB International — which formed the PCI Security Standards Council to define how retailers should protect transactional data and monitor their data security performance.
Each PCI Council member has defined categories of merchants based on the number of transactions submitted per year, along with PCI audit and reporting requirements pertaining to each category. The precise definition of each category varies between the credit card companies, but we will use Visa’s categories to illustrate the scale (MasterCard and American Express generally have lower thresholds for each category):
— Level 1: The highest volume merchants, which submit 6 million or more transactions per year, as well as merchants that have had a data incident or have been classified as Level 1 by another credit card company.
— Level 2: Merchants that submit 1-6 million transactions per year.
— Level 3: Merchants that submit 20,000 to 1 million e-commerce transactions per year.
— Level 4: Merchants submitting less than 20,000 e-commerce transactions per year, and all other merchants up to 1 million transactions per year
Rightfully, merchants submitting higher volumes of transactions face the most stringent PCI compliance standards and penalties, due to the risks associated with the quantity of data they possess.
However, Visa reports that cardholder data is compromised more frequently among Level 4 merchants than by Levels 1, 2 and 3 combined — small wonder, because 99% of the merchants that accept Visa cards are Level 4 merchants.
Security assessment requirements for smaller merchants
Level 3 merchants are required to perform and submit an annual PCI self-assessment questionnaire, as well as to have a qualifying vendor perform a quarterly network scan and report on compliance. Acquiring banks for Level 4 merchants may require the same self-assessment and network scan — merchants should contact their acquiring bank to determine what it requires.
CDW recommends working with a compliance service partner that employs active PCI network scans. These network scans test merchant PCI connections and systems for more than 14,000 known vulnerabilities and misconfigurations, inspecting and testing in detail to validate any apparent issues and eliminate any false positives — indications of possible vulnerability where in fact there is none. The scanning vendor provides a detailed report to the merchant and submits it to the PCI Security Standards Council on the merchant’s behalf.
The key words here are “qualifying scanning vendor.” The council requires these scans to be done by a third party whom it has certified to perform these tests.
The best insurance: A well-managed network
So far, so good — the bad news is that most merchants have PCI audit requirements, but the good news is that someone else can take care of it for them. Likewise, the PCI Security Standards Council has published an answer key — what a merchant needs to do in order to pass the security tests. The requirements include:
— Build and maintain a secure network — Install and maintain a firewall configuration to protect cardholder data separately from other company data. Do not use vendor-supplied defaults for system passwords and other security parameters.
— Protect cardholder data — Secure all storage devices where you keep cardholder data, and encrypt transmission of cardholder data across open, public networks.
— Maintain a vulnerability management program — Use and regularly update antivirus software (this can usually run on autopilot). Develop and maintain secure systems and applications.
— Implement strong access control measures — Restrict your associates’ access to cardholder data according to their business need-to-know. Assign a unique ID to each person with computer access, and by all means, restrict physical access to cardholder data.
— Regularly monitor and test networks — Track and monitor all access and entries to your network resources and cardholder data. Regularly test your security systems and processes.
— Maintain an information security policy that clearly defines how your customer and cardholder data is to be protected and sets out consequences for violation — and be sure that your associates are reminded frequently what the policy is.
These requirements should pertain to any well-managed company network. The key is in separating cardholder data from other company information and protecting it against access by any person who lacks a legitimate business reason to see it or touch it. Even though the process may sound daunting at first, there is a wealth of resources to help merchants achieve compliance success.
Disse is a point-of-sale solutions specialist CDW Corporation.