The PCI/DSS compliance program is required for all merchants that handle credit card data or accept credit cards for payment. However, there’s a lot of confusion over what exactly is required. Here’s what you need to know if you accept payments via credit card:
What are the risks?
With new PCI/DSS standards in 2015, if credit card fraud is determined to be caused by a lack of security by you or your company, you can be held liable for the full amount of the theft. You can also be fined up to $500,000 per data breach, and costs range between $90 to $304 per individual customer record compromised. Due to California reporting requirements, it is very possible your company will end up on the nightly news, and you can be sued by customers.
What are the requirements?
1. Maintain a network firewall to isolate network access to credit-card equipment and data
2. Keep strong passwords for all systems and other security parameters, ensure no default passwords are used
3. Encrypt or otherwise secure data when stored on physical media such as hard drives and memory
4. Encrypt card member data and customer information in transit across unsecured networks
5. Keep active, updated anti-virus software
6. Maintain and update systems and applications, particularly for security releases
7. Control access to sensitive date by limiting permissions to only employees that require access
8. Keep unique credentials for each employee – do not share credentials
3. Ensure physical security of data and systems.
10. Maintain & review audit logs for systems and data access
11. Complete regular tests of systems and proceedures
12. Create and deploy explicit security policies for staff, and keep logs of staff security training and knowledge
What are the benefits of PCI compliance?
1. If you maintain all of the above properly, you will reduce your liability for credit card fraud.
If my business grows how do my requirements change?
There are 4 levels of PCI/DSS requirements, which depend on the number of transactions you make in a year:
Getting started for Compliance
1. Designate a PCI compliance officer, who will maintain documentation for training, reports, and compliance, and identify all invididuals who will be in contact with systems or media that contains card member data.
2. Determine your requirement level (1-4).
3. Determine which Self-Assessment-Questionnaire your business needs to complete.
4. Determine if you want to enlist the help of a Qualified Security Assessor (QSA).
5. Contact a Approved Scanning Vendor (ASV) to perform external security vulnerability scans.
6. Ensure you have an Information Security Policy, and that employees are trained and confirm their understanding of this policy.
7. Review security scans and remediate any security vulnerabilities discovered.
8. Keep records of self-assessments, scans, and review and improvement steps taken. If there is a breach, documentation of your security policy, training, and enforcement is critical, and you will be asked to produce this documentation immediately!
What to do if you have evidence of a security breach?
If you have evidence of a security incident, you must:
1. Take steps to stop additional loss of data.
2. Investigate the cause and breadth of the breach, as well as steps to prevent such a breach in the future within 24-hours.
2. Notify the following: For MasterCard: Your merchant account vendor, For Visa: Your merchant account vendor and the Visa Fraud Control Group @ 1 (650) 432-2978.
3. Provide compromised card member details to your merchant account vendor and/or the Visa Fraud Control Group.
4. Provide Visa with the findings of your investigation within four business days.