If your business accepts and processes credit card payments, being fully PCI DSS compliant should be your number one priority. PSI DSS is an acronym for The Payment Card Industry Data Security Standard. The PCI DSS are regulations put in place to create a secure environment for any company whom accepts, transmits, stores, or processes credit card info.
In 2006 when the standard was launched it was optional to be compliant, however at this time it is mandatory for any company that accepts credit cards. All merchants whom wish to receive payments via credit cards must affirm they are PCI DSS compliant, or they take the risk of not only fined but penalized.
No matter if your company is a one-man operation or full scale corporation, PCI DSS compliance still applies to you. Although every size company has to be compliant, the size is how it is classified for the purpose of compliance standards. Depending on your annual transaction volume, your company will be classified into one of four groups, known as levels. The levels are 1 through 4 with level 4 being the least volume and level 1 being the most. If a merchant has a data breech there is a good chance they will be moved to higher level. I have broken down the level determinations and their requirements below.
- You are classified Level 4 if: you are carrying out less than 20,000 transactions per year. You are required to: complete and file a PCI Data Security Standard Self Assessment Questionnaire (SAQ), and may be required to submit to a quarterly PCI scan from an approved scanning vendor.
- You are classified Level 3 if: you are carrying out between 20,000 to 1 million transactions per year. You are required to: complete and file a PCI Data Security Standard Self Assessment Questionnaire (SAQ), and may be required to submit to a quarterly PCI scan from an approved scanning vendor.
- You are classified Level 2 if: you are carrying out between 1 million to 6 million transactions per year. You are required to: complete and file a PCI Data Security Standard Self Assessment Questionnaire (SAQ), and may be required to submit to a quarterly PCI scan from an approved scanning vendor.
- You are classified Level 1 if: you are carrying out over 6 million transactions per year. You are required to: be audited annually from a authorized PCI auditor. Also, you will be required to undergo quarterly scans which check for vulnerabilities in the network in-which could be used by hackers to compromise the merchants network. These scans may only be done by an approved scanning vendor.
You now hopefully have a better understanding of PCI levels and where your company stands respectively. The level requirements are not all that is required to be compliant. PCI DSS also have 12 additional rules that must be followed. These rules are called security controls. These controls were designed with goals in mind. No matter which level your are, you are expected to be in compliance with all of these rules. I have listed them below including the goals in bold associated with them.
- Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
- Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
Now that we have touched on level classification and security controls, lets touch on the subject of fines. When the data of a cardholder is comprised in a breach, a company could be fined $50 to upwards of $90 per cardholder. When a business processes 10’s to 1000’s of transactions you can see how this can cripple any business. Beyond that, it is likely you will also lose your companies affiliation with your payment processor and possibly even your bank. The price for non-compliance on the other hand is much worse. A data breach and exposure to your customers financial information could cripple your business or worse. According to IBM, the average globally a data breach costs is roughly $3.2 Million dollars. You can see how this can have an extremely negative impact.
PCI DSS compliance can be a lot to take in and process, but you are not alone. There are several companies, like ours, who can be sure you are compliant, and stay complaint. If you are confident you are compliant, I salute you. If you have even the slightest doubt I would highly recommend hiring a professional to guarantee you are.