In times of widespread concern about cyberattacks and phishing attempts, it turns out that there’s a clear roadmap to protect your business from malicious hackers — your business only needs to pursue PCI compliance. But what is this term, and what is it all about?
Payment card industry (PCI) compliance refers to the standards that companies have to stick to in order to process payment information online. These best practices are collectively known as the Payment Card Industry Data Security Standard (PCI DSS), and they were created by the PCI Security Standards Council (PCI SSC). This set of best practices works to increase controls and protection around cardholder data while simultaneously reducing credit card fraud.
Just as you might see homes advertising the security systems they’ve installed (“protected by Brinks,” for example), PCI compliance is a similar demonstration that a company has taken steps to protect its systems and infrastructure. When you make your business PCI compliant, it represents major progress toward protecting your customers from data breaches and protecting your business against cyberattacks. It’s completely in your interest if your company processes payments online.
Who is PCI compliance for?
PCI compliance is for any business that process, store, or transmit credit card data and other sensitive information, regardless of its size. As we live in a time of widespread e-commerce, this applies to most businesses! These companies have to validate their compliance every year or every quarter by engaging a certified assessor or company qualified to determine that they’re handling transactions appropriately. They’re subject to an audit that figuratively kicks the tires on how they transact with customers and handle the information that enables that transaction.
Different businesses will adhere to different standards depending on the number of credit card transactions they process. “Level one” is for the highest volume, and it goes all the way down to “level four” for the lowest volume, and companies that outsource their payment processing to a third party play by a different set of rules than those accepting cards directly.
But the size of a business, the volume of transactions, or the nature of how it handles those transactions shouldn’t dissuade the leadership from pursuing PCI compliance. Even if a smaller business with third-party processing doesn’t present itself as a worthwhile target, it can still find itself one of many victims as hackers fine-tune their attack strategies to infiltrate these smaller businesses at scale. Whether a company is large or small, bad guys are looking for ways to attack it for profit.
Companies that suffer a breach while not in full compliance furthermore end up on the line to pay fines to the PCI Security Standards Council. That makes PCI compliance a worthwhile pursuit for any business that handles online payments, wants to protect its reputation, and wants to protect its customer data at the same time. The financial repercussions of noncompliance go beyond criminals stealing from you — you can also be forced to pay up for ignoring the rules.
STEP 1: Determine your PCI level
Merchants that process over six million transactions per year are designated level one. Those that process between one and six million per year are level two. If your business processes 20,000 to one million transactions in a year, that’s level three. Anything less than that is level four.
STEP 2: Understand the penalties for failing to meet these standards
These can include fines, increased fees, sanctions from banks, and eviction from credit card payment processing infrastructure. In cases of major negligence, businesses that aren’t PCI-compliant may even be subject to lawsuits and prosecution. To be clear, PCI is a set of rules for security as opposed to a conventional law, but the incentives to follow these rules are clear.
STEP 3: Complete a self-assessment questionnaire
These are available on the PCI Security Standards Council website. Different questionnaires will apply to different businesses, but each one is a series of yes-or-no questions designed to determine how closely your business meets PCI Data Security Standard requirements. Answering “no” should be a red flag, and you may have to take some action in order to get aligned. Businesses commonly fall short on the fronts of outdated security protocols, vulnerable authentication credentials, and failed SSl certificate verification.
STEP 4: Build and maintain a secure network that protects cardholder information
For many businesses, this will require finding an information technology contractor that you trust. Leave the heavy lifting of firewalls and network security to those who specialize in it. If you sell t-shirts online, you probably shouldn’t install your own network that stores customer data.
Make sure that the word “firewall” comes up in conversations with your network professional. A firewall helps establish internal versus external activity so that your network knows who to trust. Basic PCI compliance is about using systems that prevent unauthorized access from untrusted actors. Once your firewall is up and running, implement a robust password program with your employees, change any passwords provided by your contractor, and continue changing them regularly.
Don’t forget to keep your firewall updated and operational all the time. There’s never a reason for an employee to disable it.
STEP 5: Fill out a formal attestation of compliance and file paperwork with credit card companies
An attestation of compliance (AOC) is a form that merchants use to confirm successful results of their PCI DSS assessment, as documented in a self-assessment questionnaire or compliance report. In other words, an AOC is the paperwork flag you wave to the PCI Security Standards Council that lets them know you’re playing by the rules — be sure to have a qualified security assessor review your work so that he or she can confirm your own findings.
At this point, you have all the paperwork you need in order to confirm your PCI compliance with anyone who asks about it. Banks and credit card companies alike may want to see your self-assessment questionnaire or AOC, and you have it all on hand.
The road to PCI compliance may be technically complex, but it’s worth traveling if you want to future-proof your business, guard your customer data, and protect your reputation at the same time. Need help getting started? Contact RSI Security today!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
About RSI Security
At RSI Security, we are experts at increasing your security within the often risky payment card industry.
- RSI Security is a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) with over 10 years of experience as top-of-the-line service providers
- We’ve serviced over 200 PCI clients
- RSI Security is committed to helping you achieve PCI compliance in a timely and thorough manner