There is significant amount of buzz and concern about PCI compliance with merchants. Merchants are particularly concerned when they hear of data breaches from household names like TJX Companies, OfficeMax, Boston Market, Barnes & Noble, Sports Authority or large sophisticated processors like Heartland Payment Systems. Perhaps more acutely, merchants are paying nuisance fees guised with names like PCI compliance or PCI non-compliance. And now many processors are offering PCI insurance in the event of a data breach. Like extended warranties, PCI insurance doesn’t make sense for most companies. There are specific situations where PCI insurance is valuable but you should really understand your organization’s card data storage vulnerabilities and map those vulnerabilities with what PCI insurance covers.
This article covers the basics of PCI from a merchant perspective. We are NOT PCI experts so for specific PCI questions or compliance issues, ask your payment processor.
WHAT IS PCI?
PCI DSS stands for Payment Card Industry Data Security Standards. For merchants PCI compliance means that they need to adhere to 12 data security standards as outlined in Table 1. These standards are defined by PCI Security Standards Council, an organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
These 12 requirements are not equally relevant for all merchants. For instance, a small merchant with a Hypercom T7Plus terminal probably just needs to focus on requirements 7, 9, and 12 because they do not store card data, have a network to secure and monitor, etc.
TABLE 1: THE 12 PCI REQUIREMENTS
|Build and Maintain a Secure Network|
|Requirement 1: Install and maintain a firewall configuration to protect cardholder data|
|Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data|
|Requirement 3: Protect stored cardholder data|
|Requirement 4: Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program|
|Requirement 5: Use and regularly update anti-virus software|
|Requirement 6: Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures|
|Requirement 7: Restrict access to cardholder data by business need-to-know|
|Requirement 8: Assign a unique ID to each person with computer access|
|Requirement 9: Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks|
|Requirement 10: Track and monitor all access to network resources and cardholder data|
|Requirement 11: Regularly test security systems and processes|
|Maintain an Information Security Policy|
|Requirement 12: Maintain a policy that addresses information security|
WHAT ARE MY OBLIGATIONS UNDER PCI
Merchant obligations under PCI vary based on size, as measured by the number of Visa transactions per year. See Table 2 for specific PCI requirements for each of the four merchant tiers. Over 90% of the merchants in the U.S. fall into Tier 4 and they simply have to 1) complete an annual Self-Assessment Questionnaire (SAQ ), 2) complete a quarterly network scan by Approved Scanning Vendor (ASV)…this is only applicable if a merchant’s Point-of-Sale system is connected to a wired or wireless computer network. Beyond these two validation requirements, there may be additional requirements from your payment processor.
Beyond fines from card networks, many payment processors are assessing merchants who do not comply with these requirements with monthly or quarterly fees per merchant location or account. We have many clients who were being charged $19.95 per month per account to $200 per year per account for non compliance. These fees can add up quickly…so it is definitely worthwhile to be PCI compliant.
TABLE 2: PCI MERCHANT TIERS
WHAT ARE THE KEY POINTS ABOUT PCI
- PCI standards are designed to protect credit/debit card data from unauthorized users
- PCI compliance does not guarantee security but it does minimize the probability of a system being compromised
- Here are useful breach statistics from Trustwave
- 90%+ of compromises are from Level 4 merchants
- 91% of compromises occurred through “always on” Internet connections
- 68% of compromises occurred with card present merchants
- There are hard costs (fines from card networks) and soft costs (reputational damage, customer loss, etc.) from a data breach
- Work with your payment processor and make sure you are PCI compliant
WHAT ARE SOME USEFUL PCI RESOURCES
There are probably hundreds of websites that contain information about PCI. Here are some that we like: