719-309-0739

PCI Compliance

The Payment Card Industry Security Standards Council has developed a set of requirements designed to help protect cardholder information before, during, and after transaction processing.  From their site, “PCI security for merchants and payment card processors is the vital result of applying the information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.”

Collectively, the standards lay out best practices for merchants to follow which help to minimize the risk of a data breach.  There is a common misunderstanding with the standards, that small merchants handling only one or a few credit cards a year are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism – then you need to be compliant. Should you be compromised and not be PCI compliant, the fines and the compensation requirements by the banks (it typically costs between $50 and $90 to replace one card) could be substantial – to the point of potentially bankrupting your business.

Your merchant service provider should provide a compliance validation program to you. This begins with an intake or scoping and handling cardholder information. Based on the interview results, you will take one of five different annual Self Assessment Questionnaires (SAQs).  If you don’t understand the questions, ask for help. DON’T gloss over them. If you are processing transactions through an internet connection, and not using a completely outsourced solution, your IP address will be scanned at least every 90 days using a non-intrusive process designed to identify known vulnerabilities which should then be remedied.

Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without a security vendor or a large IT department. However, PCI DSS mostly calls for good, basic security. Even if there were no requirements for PCI compliance, the best practices for security contained in the standard are steps that every business should want to take to protect sensitive data and continuity of operations.

We often find that merchants are disregarding two areas of the standards.  The first involves storing data in a forbidden way. In addition to violating PCI DSS, this may be a violation of State or Federal legislation regarding privacy.  The PCI standard specifically forbids storing of any of  the following:

    • Unencrypted credit card numbers (And they can only be stored electronically in validated payment applications. Paper storage is allowed if it meets security requirements.)
    • CVV or CVV2 (security codes)
    • Pin blocks
    • PIN numbers
    • Track 1 or 2 data (magnetic stripe data)

Any of the above found in databases, log files, audit trails, backups, etc can result in serious consequences for the merchant, especially if a compromise has taken place.

The other common problem we find is that merchants do not have a written information security policy.  This is a requirement of EVERY merchant. Everyone in your organization who handles cardholder data or processes payments should review and sign the policy.  This becomes part of your business records. The best compliance validation programs have tools and templates for you to use.

Data security compliance is complicated in some instances, but for most merchants it can be handled in a fairly straightforward manner.  It is important that you ask questions about any parts you don’t understand.

Complete information about ALL of the requirements is available at:  https://www.pcisecuritystandards.org/

Platinum Relations is committed to helping each of our clients achieve and maintain full compliance.  Please discuss any questions you may have with your Platinum Relations Consultant.