A Layman’s Guide To Understanding PCI DDS
Unless you happen to be one of those weird businesses that only accepts cash, you probably deal with credit cards.
And, as you know, credit card data security is an integral part of safe shopping in modern times. Generally speaking, people aren’t too happy when their credit card info gets swiped. In particular, businesses who accept or process credit cards in any way are required to make sure their files and other systems are kept secure.
These standards are called the Payment Card Industry Data Security Standard (PCI DSS). (Side note: there are going to be a TON of acronyms in this article.)
Because we realize this is complicated and confusing, we’ve compiled this somewhat simple guide to acquaint small or medium-size business owners with the PCI DSS and how they can comply with its standards.
In September 2006, the five major credit card brands in the industry (Visa International, MasterCard, American Express, Discover, and JCB) established the Payment Card Industry Security Standards Council (PCI SSC), an independent entity that oversees the continuous refinement of the PCI DSS to ensure high levels of security at every point in the transaction process.
Businesses that use credit card transactions are accountable directly to the card company and the banks which handle the money (called “acquirers”), not the council. Still, the council is an integral part for maintaining accountability, evaluating technological weaknesses and trends, and refining standards to maintain security.
Any institution, business, or other entity that accepts, transmits, or stores cardholder information is required to follow the PCI DSS.
Did you catch that? If you accept credit cards, you are required to follow PCI DSS. Do you take credit cards? Then you have to comply. Got it? Good.
The PCI defines cardholder information as the full Primary Account Number (PAN), or the full PAN plus any of the following:
1. Cardholder name
2. Expiration date
3. Service code
1. Full magnetic stripe data
2. CAV2, CVC2, CVV2, CID
4. PIN blocks
5. and other data.
This applies regardless of the size or number of transactions. If you or someone in your company would like to know the most recent standards, they are available here. Each business that in some way handles cardholder data falls into one of four “levels,” established by Visa.
This level is determined by how many Visa transactions are performed by the merchant (who is “Doing Business As,” or DBA) in twelve months—an aggregate number that includes credit, debit, and prepaid transactions.
In those cases where a corporate entity has multiple merchants DBAs, then the total transactions of the company are evaluated, while if a corporate entity does not interact with the data on behalf of its merchants, the individual DBAs are evaluated to determine their level.
In the context of PCI DSS, a merchant is any entity that accepts payment cards bearing the logos of any of the five members of the PCI SSC (American Express, Visa, Discover, JCB, and MasterCard) as a form of payment. A merchant can also be a “service provider,” which will be defined below.
So, you do accept one of the big 5 credit cards? Then this applies to you! See, we told you this was relatively simple.
Level 1—Any merchant which processes over 6 million Visa transactions per year, regardless of acceptance channel (in-person, mail, telephone, or e-Commerce), or any entity that Visa determines should be categorized as Level 1 to minimize risk to the Visa system. Level 1 = Big dog.
Level 2—Any merchant which processes 1 million to 6 million Visa transactions per year, regardless of acceptance channel. Level 2 = Medium dog.
Level 3—Any merchant which processes 20,000 to 1 million Visa e-Commerce transactions per year. Level 3 = Small dog.
Level 4—Any merchant which processes fewer than 20,000 Visa e-Commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year, regardless of acceptance channel. Level 4 = Teacup Poodle.
In order to meet the PCI requirements, each merchant has to go through a series of steps. This section is especially applicable to small- and medium-sized business owners, so pay attention!
And yes, we admit, this section gets a little dicey. You may want to grab a cup of coffee before reading it.
Each merchant has to complete a Self-Assessment Questionnaire (SAQ) to determine what their compliance will look like. After filling out the questionnaire, some merchants have to complete, and obtain evidence of passing, a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Not every merchant has to do this part; only SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider must comply with this step.
Let’s all agree that there are way too many acronyms in that last sentence!
Next, you must complete the relevant Attestation of Compliance in its entirety (you can find it in the SAQ tool). Finally, you must submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
Then you assemble send a DNA sample to...oops. Sorry we got carried away a bit there.
If your business takes credit card information by phone such as in a call center you are still expected to comply completely with PCI DSS, even if phone calls are the only acceptance channel your business uses.
Additionally, while SSL encryption is an important step for protection against hackers, it isn’t enough to be PCI compliant.
PCI DSS compliance is designed to be keep cardholders and their information safe, so the aspects of application extend very broadly. Businesses who only use one method of acceptance are still required to fully comply with PCI DSS standards, and merchants who use third-party processors are not exempt either.
If your business is rolling in cash so much so that you have multiple locations, usually you only have to validate once every year for all the locations, assuming they all use the same Tax ID.
However, you still must submit quarterly passing network scans by an ASV, if that applies to you.
Interestingly, though all companies that accept credit or debit card data are expected to comply with PCI standards, if you don’t store the data (which some companies do for recurring billing purposes) this is less risky so the compliance process may be easier.
It’s also important to remember that all cards with a logo of one of the five PCI SSI companies are applicable to PCI standards, not just credit cards.
Recall that some businesses are required to perform a quarterly vulnerability scan. Now would be a good time to explain what that is in more detail. An Approved Scanning Vendor, or ASV, will conduct a scan of the various networks and web applications of the IP addresses provided to them by the merchant or service provider, which will target and expose any vulnerabilities in the company’s operating systems, services, and devices that hackers could use to access the merchant’s private network.
Basically, the ASV will make sure Russian hackers don’t break into your system, steal your credit card info, and post all your risky photos on the internet. You don’t want that.
If performed by an ASV (which is the only approved vendor anyway), no software will need to be installed on your systems. Scans are required once per quarter or every 90 days, and merchants must submit compliance reports according to the timetable determined by their acquirer.
As mentioned above, some merchants are also considered service providers. This is simply an entity, other than one of the five payment brands, that is directly involved in the storing, processing, or transmission of cardholder information. It also includes any company whose services control or could impact the security of cardholder data.
A merchant falls into the service provider category if they accept payment cards for transaction purposes and if the transactions store, process, or transmit cardholder information on behalf of another merchant or a service provider.
A payment application is anything that transmits, stores, or processes cardholder information. This covers everything from swipe systems in a restaurant to the software used in your e-Commerce shopping cart—and all of it is subject to industry standards to ensure security.
This is not complicated. That credit card thing you call, “Mr. Swipey”? That’s a payment application, as is the shopping cart on your website.
The Payment Application Data Security Standard (PA DSS) is maintained by the PCI SSC and exists to ensure all vendors that provide payment applications to merchants that comply with PCI DSS standards and do not preserve cardholder data.
The SCC personally administers the program which evaluates the PA DSS compliance and maintains a list of vendors which have passed inspection.
A payment gateway connects a merchant to its acquiring bank, or a processor that connects them to the card brand. They take information from a variety of sources and route it to the correct bank or processor. They can communicate with the bank or processor in a variety of ways (dial-up, web-based connection, etc.), so it’s important that they are secure as well.
On another note, why are we still using dial-up for anything?
Frequently, merchants like to have the option of holding onto card information for customer ease in making repeat transactions. The safest and most hassle-free way to do this is to partner with a third-party provider which offers a credit card vault and tokenization (this means they store all customer data in an encrypted digital vault, and provide the merchant with a token that is keyed to each customer for purposes of rebilling).
This way, all cardholder data is removed from your possession, and the responsibility for its security does not fall on you, but on a third-party company that specializes in data protection and has met very high standards in order to do so.
Merchants may also choose to maintain cardholder data themselves, but the process to do so is quite rigorous and a person called a Qualified Security Assessor may have to come on-site and perform an audit to ensure you are able to meet PCI DSS standards.
Let us simplify: if you’re going to keep data, you sure better keep it safe or things will go very, very bad.
PCI standards advise that only the first six or last four digits of the PAN be printed on any copy of a transaction receipt. While this technically does not prohibit the full number from being displayed, it is important to note that any laws which do legislate what may appear on a receipt are to be followed.
Standards are in place for a reason: to keep consumers safe. When a merchant chooses to not comply with PCI DSS standards, there are consequences. Most of the time, this means heavy fines—anywhere from $5,000 to $100,000 per month, charged by the payment brand to the acquiring bank, which will usually pass the cost along to the business itself.
It is very likely the bank will terminate your relationship or exorbitantly increase transaction fees. These kinds of penalties can devastate a small business. You will be given a merchant account agreement, and to avoid penalties like this it is important to follow it exactly.
Take away point: unless you like burning money for fun, you don’t want this to happen. Seriously.
While PCI isn’t a law, it is industry standard, and companies who refuse to cooperate with it can be subject to and responsible to absorb the costs of fines, card replacement costs, costly forensic audits, brand damage, and other consequences in the event of a breach, as determined by their acquirer.
The initial effort and cost of complying with PCI DSS will save you from the nightmare of these far more awful, complex, and devastating consequences.
In other words, you may not be thrown in jail if you don’t comply, but you will still be run out of town, metaphorically speaking.
Home-based small businesses are especially vulnerable to hacking because they aren’t well-protected. No, being forced to enter a password when you logon to computer does not count as “good” protection.
Hackers will often easily exploit broadband connections, and can access information through things like Internet chat and games. ControlScan, a major ASV endorsed by the PCI SSC, provides special software for home-based businesses that will allow them to identify and fix any weaknesses in their network’s security.
It ends up being fairly simple to prevent security breaches, but they do still happen. But small-and medium-sized businesses have lots of recourse, including from the Department of Justice, the PCI Council, and the Electronic Transactions Association. It is the law in nearly every state and several U.S. territories to notify affected parties (such as cardholders) of company security breaches. California was the first state to do so in 2003.
Congratulations on starting your small business, and kudos for wanting to make sure your transactions are done with integrity and security. Navigating the ins and outs of compliance in the face of hackers who seem to get more sophisticated every day can seem daunting, but hopefully this guide made it a little less scary—and a little more achievable.