PCI - Stop the Credit Card Thieves!

 

Here's What You Should Understand About PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) protect their customers’ credit card information during transactions and when it’s being stored.

Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.

There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network. Data can be stolen from many areas, including but not limited to:


The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) protect their customers’ credit card information during transactions and when it’s being stored.

Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.

There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network. Data can be stolen from many areas, including but not limited to:

Identifying where your company’s weaknesses are when it comes to the protection of sensitive cardholder information, and securing how your business processes payments is paramount.

What do I need to do to become PCI Compliant?

There are various levels of PCI compliance which depend on the amount of payments your business processes each year (12 month period). There is one component that remains necessary across the board, which is that a business should really achieve 100% PCI compliance and maintain it, in order to keep the data of themselves and their customers safe.

Each of the five major credit card members of the PCI SSC have their own data security standards. Below is a simplified, general breakdown of potential PCI DSS requirements:

PCI requirements depend on which level is applicable to your business. Each level will require merchants to complete the relevant PCI DSS Self Assessment Questionnaire (SAQ), provide evidence that the merchant has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and complete and submit the Attestation of Compliance (AOC) to your acquirer.

If you would like any clarification on the information here, please visit the PCI Security Standards Council’s website.

What happens if I’m not PCI compliant?

As previously mentioned, being PCI compliant is not required by the law, however, you could incur major damage to your business, its reputation, brand image and a multitude of fines if your customers' data is breached. In the long term, it will cost your business a lot less to comply with PCI DSS requirements. Additionally, non-compliance fees can add up over the months. 

The State of PCI DSS Compliance


According to Verizon’s 2017 Data Breach Investigations Report (DBIR) the state of PCI DSS compliance is continuing on an upward trend, seeing growth of 44.3% since 2012. However, 44.6% of businesses still failed to pass an interim PCI CSS validation in 2016:


SecurityMetrics has predicted that data breaches and attacks from hackers will ‘likely follow similar trends from the latter half of 2016,’ referring to companies such as Yahoo, who notoriously fell victim to a series of attacks in which the personal information of millions was compromised.

SecurityMetrics forensic takeaways from 2016:

Payment Plus's Point-to-Point Encryption and Tokenization (safe-t)

Payment Plus can provide merchants with solutions that help to reduce PCI audit scope, with PCI validated point-to-point encryption through Elavons safe-t product which is applied in a retail (card-present) environment.

It’s part of the PPI solutions.

PPI's P2PE solution is designed to provide businesses with the highest degree of payment security and greatly reduce the scope of PCI DSS compliance requirements. 

Check out an overview of how a typical transaction works below:

PCI DSS Compliance FAQ’s

Q: What is the PCI DSS?

A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI SSCan independent organization that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

Q: How does a merchant get educated about PCI compliance?

A: Merchants getting started with PCI compliance can find a wealth of information on the PCI Council website and download the PCI Council's Getting Started Guide and Quick Reference Guide. To learn what a merchant's specific compliance requirements are, the PCI Council recommends the merchant check directly with the card brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc., Visa Europe.

Q: To whom does PCI compliance apply?

A: PCI compliance applies to ANY organization or merchant (includes international merchants/organizations), regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

Q: Is a merchant obligated to be PCI compliant?

A: PCI compliance is not a law. The PCI standards were created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach occur. The time and effort put into maintaining PCI compliance far outweighs the consequences of non-compliance.

Q: How often is PCI DSS validation required?

A: Merchants must demonstrate compliance annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Validation requirements vary depending on the number of transactions processed annually and the payment card brand. Compliance requires establishing and maintaining a PCI program that incorporates appropriate business policies, procedures and technologies to ensure ongoing compliance through continuous protection of payment card data.

Q: What are the requirements to be in compliance with the PCI Data Security Standard?

A: The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It’s comprised of 12 general requirements designed to: build and maintain a secure network; protect cardholder data; ensure the maintenance of vulnerability management programs; implement strong access control measures; regularly monitor and test networks; and ensure the maintenance of information security policies.

Q: Which Self Assessment Questionnaire (SAQ) must be completed by a merchant?

A: The PCI DSS SAQ Instructions and Guidelines information provides a summary of the different SAQs and the types of environments that each SAQ is intended for. Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment. Additional SAQs may apply depending on how the merchant is conducting business. For more information please visit the PCI Council website.

Q: How does Payment Plus help minimize PCI scope within a merchant environment?

A: Payment Plus provides cardholder data tokenization with safe-t. A token replaces the cardholder data that a merchant needs to store when handling transactions. The token is used when submitting the transaction to the payment processor. Since the token is not card data, the merchant can store the token and reduce the PCI scope of the system storing the token. Merchants with e-commerce sites can also reduce their PCI scope by making use of the available safe-t Converge tokenization solutions.

Q: If a merchant only accepts credit cards over the phone, does PCI compliance still apply to the merchant?

A: Yes. All businesses that store, process or transmit payment cardholder data must be PCI compliant.

Q: What are the penalties for failure to comply with PCI DSS?

A: The payment brands may, at their discretion, fine at a rate of  $5,000 to $100,000 per month for PCI compliance violations. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

Q: What is a vulnerability scan?

A: A vulnerability scan checks a merchant or service provider’s systems for security vulnerabilities. It is a tool that will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks are generally performed.

Q: How often does a merchant have to have a vulnerability scan?

A: Once every 90 days. Merchants requiring a vulnerability scan are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as Sysnet.

Q: Who is required to fill out a PCI SAQ document?

A: Any merchant handling credit card transactions is required to fill out a specific PCI SAQ document based on the nature of the cardholder data process in place. To determine which SAQ corresponds to a merchant, please visit our SAQ document summary section.

P2PE Frequently Asked Questions

Q: What is P2PE?

A: Point-to-point encryption (P2PE) cryptographically protects account data from the point at which a merchant accepts the payment card through the entire lifecycle of the transaction. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. Merchants using PCI-validated P2PE solutions also have fewer applicable PCI DSS requirements, which helps simplify compliance efforts. Payment Plus's P2PE safe-t solution by Elavon is validated by the PCI Council as one of few companies qualified to offer the solution. Click here to see the PCI Council’s list of validated solutions. 

Q: What are the benefits of P2PE?

A: A P2PE solution:

  1. Makes account data unreadable by unauthorized parties and protects customer data and therefore a company's reputation
  2. “De-values” account data because it can’t be decrypted even if stolen
  3. Simplifies compliance with PCI DSS requirements
  4. Reduces the P2PE Self-Assessment Questionnaire to only 26 requirements