This month we interviewed our Senior Risk Manager of Risk and Compliance and asked him to explain basic concepts of PCI Compliance. Having worked with the PCI Security Standards Council and card brands including Visa and MasterCard for over 3 years, he’s a true expert in this field. In our interview, he shares his expertise and summarizes the most essential points that will help merchants reduce risks of data breaches.
Q: What is PCI and who represents PCI in the Payment Processing world?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies process, store or transmit credit card information maintain a secure environment. The Payment Card Industry (PCI) Security Standards Council was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry security standards with focus on improving payment account security throughout the transaction process. The PCI Council – composed of the five founding payment brands American Express, Discover Financial Services, JCB International, MasterCard, and Visa – is an open global forum that is responsible for the development, management, education, and awareness of the PCI Security Standards.
Q: Is Pivotal Payments certified with PCI DSS?
A: Absolutely. Pivotal Payments is Level 1 compliant which is the highest standard of PCI certification one can obtain. We undergo yearly on-site audits of our internal processes and periodic vulnerability scans of our systems and servers. Additionally, Pivotal Payments only uses trusted data centers and vendors that have the same level of certification.
Our IT Team is responsible for ensuring we meet the highest levels of security as well as maintaining infrastructure that is compliant with the PCI DSS. In addition, our Compliance Team ensures that company policies and procedures are compliant with Data Security Standard (DSS).
Q: What do merchants have to do to become PCI Compliant?
A: It is in each merchant’s best interests to maintain being PCI Compliant in order to reduce risks of a data breach which may lead to the compromise of sensitive cardholder information.
The process that the merchant has to go through to become PCI compliant depends on the connection type used by merchant’s POS system or device. Merchants that are using Dial connection type have to complete the Self-Assessment Questionnaire (SAQ). The SAQ consists of 60-100 questions that will help merchants understand correct PCI processes on an intuitive level.
“Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?”
At its core, this question tells the merchant how hardcopy materials are supposed to be disposed of in a PCI compliant way.
Each question provides clarification and guidance as well as helps create internal processes for merchant’s employees.
Merchants that use an IP connection must complete vulnerability scans every 4 months along with completing the SAQ. Pivotal Payments’ Online Interactive portal partners up with qualified security assessors that were approved by the card brands to run these scans. The Qualified Security Assessor (QSA) runs the scan and detects any possible ports of intrusion, and creates a report on compliance. All this is done in order to safeguard against data breaches that could expose sensitive information.
Q: What is defined as “cardholder data”?
A: The PCI Security Standards Council defines cardholder data as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
• Cardholder name
• Expiration date
• Service code
Q: What are the risks involved if the merchant is not PCI Compliant?
A: Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, or more, should a breach event occur. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
Q: What are the basic recommendations on how to maintain the business PCI compliant?
A: PCI Security Standards Council has a few valid suggestions on their website. They summarized it pretty well.
• Create a culture of awareness and educate employees on a continuous basis. This is an easy to implement solution that is also critical to the business’s security well-being. Each person who interacts with sensitive data or the systems that handle it must be educated on the common tactics hackers use to steal information. In addition, it’s crucial that each employee understands the role they play in the business’s data chain.
• Designate a PCI champion. Even if your business doesn’t have a dedicated IT group, it will benefit from someone being formally assigned the role of understanding and monitoring basic security functions. This assignment carries with it the responsibility to keep business systems current with the latest patches and updates, as well as to consider the security impacts of website and physical POS changes.
• Avoid storing payment information whenever and wherever possible. Whether accepting customer payments over the phone, by fax, in person or online, it is always a best practice to immediately process that information and purge any remnants such as paper copies. Businesses that store payment information, either in hardcopy or electronic form, are putting themselves at a much more significant risk for breach. Encryption and tokenization solutions should also be employed to maintain the security of data in motion and at rest.
Many breaches are preventable; they still tend to be unsophisticated and can be repelled with strong, basic defenses. Start with vulnerability scanning, but think about adding network penetration testing as soon as possible. If you have developed Web applications, this is even more critical.
The Data Security Standards (PCI DSS) was developed to encourage and enhance security and facilitate the broad adoption of consistent security measures globally. They comprise of 12 elements which provide global standards on items all the way from how to protect cardholder data to monitoring and testing of networks.
Our PCI Compliance Team is there to help you become PCI Compliant.
Give them a call at 1 (888) 729-7958 and they will be happy to help you.
Resources used: www.pcisecuritystandards.org