Learn the basics of PCI compliance and where to go for more information.
Credit card processing agents need to have answers when their accounts ask about PCI compliance. It is essential for any business accepting, processing, storing, or transmitting credit cards and other forms of digital payments. Developed by major credit card brands Visa, Mastercard, Discover, American Express, and JCB, the Payment Card Data Security Standards (PCI DSS) are designed to protect against data theft and create a safer processing environment. Credit card processing agents can help merchants protect their businesses and customers by following these important guidelines.
What is PCI compliance?
PCI compliance is a proven way to protect physical and virtual environments, boost merchant confidence, and gain customer trust. However, becoming compliant may seem complex and even intimidating to small to mid-sized business owners. If your accounts are asking about PCI, you can demystify the process by showing how to achieve compliance in a few simple steps.
First, which category best describes your merchant? The PCI Security Council (PCI SSC) separates merchants into four categories, based on their processing volumes.
Level 4: These are merchants processing less than 1 million person-to-person and 20,000 online transactions per year. Level-4 merchants are required to take an annual PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans by approved vendors may also be required.
Level 3: Merchants processing between 20,000 and 1 million transactions per year are required to take an annual risk assessment and long-form SAQ. Quarterly PCI scans by approved vendors may also be required for Level-3 merchants.
Level 2: Level-2 merchants processing between 1 million and 6 million transactions per year must take an annual risk assessment and long-form SAQ. Quarterly PCI scans by approved vendors may also be required.
Level 1: Level-1 merchants, such as big-box retailers, processing 6 million or more transactions per year are required to conduct annual internal audits with qualified PCI auditors. Quarterly PCI scans by approved vendors may also be required.
Why merchants need to prioritize security.
Security breaches impact everyone, from customers dealing with identity theft and credit issues to merchants, banks, and processors facing fines, penalties, and losses. Considering all the ways hackers steal payment data, it makes sense to safeguard the entire cardholder environment, including physical card readers, paper receipts in filing cabinets, card-on-file data on networks and servers, and hidden cameras that record entry of authentication data.
What are PCI compliance requirements?
Merchants may also turn to credit card processing agents for information on what they need to do to pass a self-assessment, risk assessment, or scan. The PCI SSC and leading security experts established these 12 requirements for PCI compliance that your accounts must meet:
1. Protect your system with firewalls: Secure cardholder data behind a protective firewall.
2. Configure passwords and settings: Replace default passwords with more robust security parameters.
3. Protect stored cardholder data: Safeguard sensitive cardholder data by keeping it out of hackers’ reach.
4. Encrypt transmission of cardholder data across open, public networks: Encrypt cardholder data to render it useless if intercepted by unauthorized parties.
5. Use and regularly update anti-virus software: Keep anti-virus solutions updated with ongoing vulnerability management.
6. Regularly update and patch systems: Develop and maintain secure systems and applications.
7. Restrict cardholder data access to what the business needs to know: Implement strong access control with cardholder data on a need-to-know basis.
8. Assign a unique ID to each person with computer access: Manage access control with unique log-ins.
9. Restrict physical access to cardholder data: Secure workplace environments by restricting physical access to cardholder data.
10. Track and monitor access to networks and cardholder data: Maintain established logs and log-in histories to monitor network and cardholder data activities.
11. Conduct vulnerability scans and penetration tests: Regularly test security systems and processes.
12. Documentation and risk assessments: Maintain a policy that addresses information security for employees and contractors.
Resources at your disposal.
Credit card processing agents, like many other people in the payments space, don’t always have all the answers when it comes to PCI compliance. But help is available. PCI SSC provides additional resources to help small merchants simplify PCI compliance and reduce risk. You can visit PCI’s Data Security Essentials Resources for Small Merchants to point your merchants in the right direction.
You can also reach out to your payments company partner for help. North American Bancard’s team includes PCI compliance experts who can help you find the answers that you and your clients need. Plus, a PCI Plus Program that features up to $100,000 in breach forgiveness protection for qualified merchants. Not to mention No fees, forms, or third-party requirements. Contact us for more information.