So, you’ve received a letter from your bank reminding you that you must comply with the PCI-DSS standard and warning about PCI compliance violations. If you don’t toe the line, you could face additional fees. In some cases, companies that don’t prove their PCI-DSS compliance could be prevented from accepting a credit card at all. Here are some common questions facing companies that are grappling with the standard. Read on to understand key requirements and get some PCI compliance help.
PCI-DSS stands for the Payment Card Industry Data Security Standard. It is a standard that lays out security measures for an organization handling credit cards from the major brands. It comes from the Payment Card Industry Security Standards Council, which was formed in 2006 by American Express, Discover Financial Services, JCB International, Mastercard, and Visa.
PCI-DSS is part of a set of standards from the Council that protects credit card transactions. PCI PA-DSS covers payment application software developers, while PCI PTS covers manufacturers of credit card payment machines. Together, these standards guarantee point-to-point encryption of customer credit card data from point of sale to back-end data storage.
PCI-DSS applies to any organization that stores, processes, or transmits cardholder data, putting anyone who accepts credit cards, such as retailers and service providers, squarely in its sights.
Don’t think that you’re excluded just because you deal with relatively low credit card volumes or don’t store that credit card information. You are still subject to the rules, which are tightening in some cases. Visa used to let level-4 companies (ecommerce merchants processing fewer than 20,000 Visa e-commerce transactions annually) get away without PCI compliance validation, but that changed at the beginning of 2017 when it introduced new rules demanding PCI compliance validation for all businesses, including smaller level-4 merchants. (Source: https://www.pcicomplianceguide.org/acquirers-visa-qir-deadline-passed/)
If you accept credit cards, then you must comply with PCI. The difference comes in how you validate that compliance. Different kinds of organizations must prove that they are compliant in different ways. Failing to prove compliance will result in PCI compliance penalties for your bank, which it may pass along to you or simply terminate your account.
There are 12 requirements under PCI-DSS.
Each payment card brand has its own verification procedure to ensure that companies are compliant under the program. The route you take will be based on how that brand classifies your company and the risk you present. Some companies may be able to assess themselves, while others will have to hire an independent assessment company for PCI compliance help to check that they meet all the requirements.
Merchants have to reach different levels of compliance under PCI, typically based on their size and whether they’ve experienced a breach before. Each credit card brand publishes its own criteria here. In most cases they are similar, but it’s worth visiting these pages to see how Visa, Mastercard, Discover, and American Expressdefine merchant levels.
Independent assessment companies are called qualified security assessors (QSAs). They check the technical information that you provide and ensure that it covers all the appropriate parts of your operation that fall under PCI-DSS. Then they will submit a report, known as a PCI compliance ROC (report on compliance) to your acquirer (your bank). An assessment company must be verified by the Council to call themselves a QSA.
An approved scanning vendor (ASV) is an independent third party that tests websites to ensure that they are compliant with the PCI standards. It scans your systems and produces a report that it can send to the acquirer on your behalf. Ecommerce companies might use an ASV to help ensure that their systems comply with the PCI-DSS requirements.
Not all organizations need a report on compliance from a QSA or a scan from an ASV. Those that need less scrutiny, such as level-4 merchants, can fill out a self-assessment questionnaire (SAQ) instead. They feature a set of yes/no PCI compliance questions covering each of the PCI-DSS requirements, along with room for notes explaining what the organization will do to address any gaps in their compliance.
Not all SAQs are equal. Organizations will use different versions based on their activities. Some cover card-not-present merchants, including ecommerce or mail-order companies, while others cover merchants that use standalone payment terminals and imprint machines. Here’s a list.
Yes, to varying degrees. Some service providers assume the role of merchant of record for their customers. For example, if you hand over all storage, processing, and transmission of customer data to Square, you won’t need to validate your PCI compliance. When it comes to web-based transactions, you may need to fill out different kinds of SQA depending on how your website interacts with the third-party provider’s systems.
Even when outsourcing credit card process, it’s still possible for you to fall outside PCI best practices if you fail to meet its best practice requirements. It’s still a good idea to follow those best practices, even when handing over end-to-end credit card processing to a third party.
Disclaimer: This document is provided for informational purposes only and should not be relied upon as legal advice. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.