What PCI DSS Compliance Means and Why It's Important for Your Business
February 11 2014 |
What does PCI DSS compliance mean and why is it important for your business? We should start by answering the first question: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that companies that process, store or transmit credit card information maintain a secure environment. These regulations are continually changing as newer and more secure technology is implemented to combat security threats.
This standard applies to all merchants, regardless of size and the environment in which they accept credit card payments. However, the requirements vary according to levels which are primarily determined by the transaction volume:
|Level 1||Any merchant, regardless of acceptance environment, processing over 6 million transactions per year.|
|Level 3||Any merchant, regardless of acceptance environment, processing between 1 million to 6 million transactions per year.|
|Level 3||Any merchant processing 20 thousand to 1 million e-commerce (card not present) transactions per year.|
|Level 4||Any merchant processing fewer than 20 thousand e-commerce transactions per year, and all other merchants processing up to 1 million transactions per year.|
A merchant within the scope of PCI DSS, refers to any entity that accepts payment cards bearing the Visa, MasterCard, American Express, Discover or JCB logos. These major card payment brands together encompass The Payment Card Industry Security Standards Council (PCI SSC), which is an independent body that exists to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.
Now to answer the second question: why is PCI DSS important for my business? To many merchants, compliance represents a cost without any apparent benefits. On the contrary, however, the benefits certainly outweigh the expense. The reality is that data breaches resulting in credit card fraud can be extremely costly for a merchant and could potentially cripple their business. The main objective of the PCI DSS Compliance requirements is to create a more secure environment that will ultimately lead to reduced instances of fraud and subsequently reduced costs associated with fraud. According to a Nilson Report, Issuers, merchants, and acquirers of credit, debit, and prepaid general purpose and private label payment cards worldwide experienced gross fraud losses of $11.27 billion in 2012. This enormous figure is up 14.6% from the previous year and represents 5.22 basis points in total volume, up from 5.07 basis points in 2011.
The largest percentage of fraud-related loss resides within the card not present realm, where unsecure environments such as email and websites leave sensitive cardholder data vulnerable to potential breaches. Hackers are constantly testing these systems to identify and exploit points of weakness in security. The goal of the hacker is twofold, steal cardholder information to resell on the black market or reuse it themselves disguised as a legitimate customer. These devastating losses are inevitably recouped through increased costs and fees to all parties, including the merchant, issuers, acquirers as well as the consumers. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks. Some of the key items include:
- Building and maintaining a secure network.
- Protecting cardholder data.
- Maintaining a vulnerability management program.
- Implementing strong access control measures.
- Regularly monitoring and testing networks.
- Maintaining an information security policy.
Depending on the applicable level, PCI DSS compliance can be met quite easily or may require greater effort by the merchant. At the most basic level (4), a merchant must complete a self-assessment questionnaire (available on the PCI Security Standards Council's website at www.pcisecuritystandards.org) and pass a vulnerability scan with a PCI SSC Approved Scanning Vendor. This scan must be performed on a quarterly basis if the device used to process an electronic payment has internet connectivity such as a POS terminal, gateway, software, etc. Compliance validation is set by the merchant acquirer.
For all other levels, in addition to the Self-Assessment Questionnaire and quarterly scan, the merchant must receive an Attestation of Compliance from an Approved Scanning Vendor. At the highest level, merchants may also be required to meet physical environmental requirements. The overall cost of certification can be as low as a few hundred dollars a year for level 4 merchants all the way up to mid five figures for merchants at the highest level. This is affected by a number of variables including transaction volume, processing environment, and a list of third party applications used in payment processing. Merchants should always enquire whether their payment application vendors are PCI compliant (which they should be) to ensure a completely safe environment and reduce liability.
It's everyone's responsibility to ensure a safe processing environment and as such, acquiring banks are required to govern the compliance of their customers – the merchants. The payment card associations may fine an acquiring bank $5,000 to $100,000 per month for PCI DSS compliance violations. The banks will most likely pass this fine downstream until it reaches the merchant. Furthermore, the banks may ultimately terminate the merchant's ability to accept electronic card payments and place the merchant on a global MATCH list. This would essentially prohibit a merchant from accepting card payments through any bank acquirer.
Merchants should keep in mind the following points when evaluating the effort necessary to ensure compliance:
- Adhering to PCI DSS is an ongoing process as security exploits are continuously changing. Your best resource for confirming compliance is your payment brand or acquirer.
- There are 12 requirements to PCI DSS and no one-size fits all products or vendors. You'll need to implement an approach that includes people, processes and technology. Outsourcing all factors does not automatically prove that you've met the requirements. Merchants are just as involved in protecting cardholder data from the moment it's received, processed, refunded or charged back as their vendors are.
- Merchants are responsible for ensuring that card payment terminals comply with the standards. Make sure to request proof of compliance from your provider on an annual basis.
- Level 4 merchants that complete a Self-Assessment Questionnaire only prove that they've evaluated their compliance at one moment in time. Continuous assessment is necessary to keep breaches at a minimum.
- Keeping up-to-date on the standards is pivotal to protecting your business as noncompliance can be costly once you factor in fines, legal fees and lost business among other things.
As fraudsters are becoming more and more sophisticated, the payment acceptance ecosystem must ensure that it stays ahead of fraudulent practices to reduce its impact. That's why the PCI DSS compliance requirements are so important to understand and follow. As mentioned, the first step is to contact your acquiring bank or ISO to learn more about becoming compliant. These small steps will only lead to a safer ecosystem and as a result, benefit everyone involved.
Mr. Huynh began his career at Pivotal Payments as Vice President of Business Development where he was responsible for Pivotal Payments' Ecommerce Solutions group. Today, Mr. Huynh is Senior Vice President of Client Services where he oversees major account management, relationship management, in addition to Ecommerce strategies.
Mr. Huynh has more than 10 years of experience in management and business development with a number of organizations in payment processing as well as other industries. Before joining Pivotal Payments, Mr. Huynh was Vice-President of Marketing at Verifi, Inc.