Q. What is PCI?
The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.
The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes. Each company's intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15 2004 the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
First, a Self-Assessment Questionnaire must be completed on an annual basis. During the spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered - and whether or not quarterly vulnerability scanning is required Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.
For those required to complete quarterly vulnerability scanning - it is an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of Websites and IT infrastructures containing externally facing IP addresses.
Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.
Q. Doesn't PCI only apply to e-commerce companies?
No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
Q. Don't I only have to be compliant with the majority of criteria?
The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It's just good business.
Q. I can just answer "yes" to all the criteria on the Self-Assessment Questionnaire.
The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been compliant, the matter would be taken very seriously by VISA. You would be risking your whole business by answering "yes" to the questions, when there is no factual basis for the answers.
Q. As a merchant, I'm entitled to store any data.
Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:
- *Unencrypted credit card number
- CVV or CVV2
- Pin blocks
- PIN numbers
- Track 1 or 2 data
Any of the above found in databases, log files, audit trails, backups etc. at a merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.
Q. Who has to comply?
If you are a merchant or service provider and accept credit cards, you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
Q. What are the certification levels and what do they mean?
- Level 1: Greater than 6 million credit card transactions per year or ANY business that has succumbed to a data breach or any business deemed Level 1 by card associations.
- Level 2: Any merchant processes more than 1 million transactions regardless of channel.
- Level 3: Any merchant who processes more than 20,000 online transactions per year.
- Level 4: Less than 20,000 e-commerce transactions or 1 million total transactions per year.
Q. I'm a small merchant who only takes a handful of cards, so I don't need PCI?
This is a common misunderstanding with the standard is that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism - then you need to be compliant.
Q. I only need to protect my credit card data, not ATM debit card related data, right?
No - both are required. Many debit cards are dual-purpose "signature debit," which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.
Q. I can wait until my business grows.
NO. The PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be compliant, the fines and the compensation requirements by the banks (it typically costs between $50 and $90 to replace one card) could be substantial
Q. I can wait until my bank asks me to be compliant.
The dates for merchants to be in compliance are long gone. You are responsible for making sure you are in compliance. Waiting until the bank asks you could be very costly indeed.
Q. As a merchant, I did not sign anything saying I would be compliant; therefore, I do not need to be.
The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.