PCI Compliance 101 Series – What is expected of you?

March 5, 2010

The first article in the series dealt with “The Basics” of PCI Compliance (see previous article here).  Now we want to tackle what is expected of you.  One of the most complicated pieces of the process can be understanding what is your responsibility and what is your credit card processors responsibility.  We will try to boil down the issue of PCI Compliance to the essentials as much as possible.  Regardless of who you are or what your business does, you should always have a trusted advisor that you can talk to about your merchant account or credit card processing solution.  (For information on how to find someone, see my previous article on Finding a Trusted Advisor)

Before we go into any more detail, if you would like information on PCI definitions, FAQs, etc, please see the PCI Security Standards Council FAQ Area.

The entire process of PCI Compliance is aimed at reducing the chances that your business will do something that will cause your customers’ sensitive information to be exposed and used for fraudulent use.  One of the biggest misconceptions is that your credit card processing company is supposed to take care of everything and that if something happens the pressure is on the processing company.  If you don’t get anything else from this article, you should understand that your company’s PCI compliance is 100% your responsibility.

Your credit card processor and the credit card industry is compelled to help ensure that sensitive data is not readily vulnerable to theft because if your business experiences a breach and is forced to file bankruptcy, the processor is held responsible for your breach.  Consequently, everyone up the chain from you must also be PCI compliant including the manufacturer that provides your credit card terminal or software, your credit card processor, and anyone in between that helps transmit the credit card data for transaction processing.

The simple answer to the question of what is expected from your business is:

  • to go through the process of checking your business process and systems to ensure that you are limiting the chances of your customers’ information being taken by someone who shouldn’t have it
  • to ensure that you and your employees are properly handling sensitive credit card and personal customer information
  • to ensure that the hardware and software you use is compliant with the data security standards created by the PCI Council (See PA-DSS standards and PIN Transaction Security info)
  • to scan your network, or have someone else do it, on a regular basis to ensure that there aren’t ways for hackers to gain access to customer information via your wireless networks or internet service.

Why should you care about PCI Compliance?  Here is a very simple list:

  • Your business could be seriously impacted or even bankrupted by a breach
  • The Ponemon Institute’s 2009 Survey on the Cost of a Data Breach found that the average cost per compromised record was shown to be about $204, however of all the data breaches experienced by 45 organizations in 2009, the least expensive total cost for an organization was $750,000 and the most expensive was $31 million.
  • The financial impact to a business that experiences a data breach is not just the cost of cleaning up the problem, it also causes a loss of customers and future business
  • The cost of going through an annual compliance process usually costs less than $500, not a bad investment
  • Just because your credit card processor shows “$50,000 of Security Breach Insurance” doesn’t mean that your solution is compliant or that your company is safe, especially when the least costly breach in 2009 cost the company $750,000.

Where can you go for more information?

  • Visit the PCI Security Standards Council website at https://www.pcisecuritystandards.org
  • Call your credit card processing company and ask them what their process is for PCI compliance is and what you need to do
  • If you use a Point of Sale software, check with the company that supports your solution.
  • Check with one of the many Qualified Security Assessors or Approved Scanning Vendors listed on the PCI Council website at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml

Hopefully this information and these resources will provide you with a chance to educate yourself on the topic of PCI compliance and help you better understand why and how the guidelines affect  your business.

Thank you as always for reading, if I can do anything to help your business answer questions or point you in the right direction, please visit the “Contact Me” tab or just email me directly at takingcards@gmail.com

Thank you,

Ben Wallace

Leave a Comment » | General Information, Merchant Services, PCI Compliance 101, Trusted Advisors | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by Ben Wallace

PCI Compliance 101 Series – The Basics

December 3, 2009

Businesses large and small are being affected by PCI Security Standards and the associated compliance regulations which are being enforced by their processing company.  In an effort to help explain what PCI is and why it is important, I am starting a blog series that hopefully will shed some light on a very complicated issue.

PCI Compliance is focused on reducing the chances for credit card fraud especially in regards to credit card and cardholder information.  The standards that have been put in place with the purpose of helping the credit card industry establish security guidelines for everyone who is involved in the process of accepting and processing credit card payments.

PCI stands for “Payment Card Industry” which is made up of all the players in the credit card processing industry.  Simply put, anyone that touches credit card transactions is involved regardless of the extent of involvement they have in the process.  The main players in the payment card industry and the security compliance process are:

  • Processors – Companies that actually process transactions on behalf of businesses.  Sometimes called “Acquirers”
  • Issuers – An institution or bank that issues a credit card to an individual or a business
  • Associations – Sometimes called “Brands” these are groups such as Visa and MasterCard.  Associations are comprised of credit card issuers and acquirers.  They facilitate the flow of transaction information and govern their members through a series of by-laws which regulate authorization, processing, and settlement
  • Qualified Security Assessor (QSA) – These are the companies that perform the PCI compliance assessments as they relate to the protection of credit card data.  QSA’s typically are companies whose primary business is PCI Compliance.   A current list of QSA’s can be found on the PCI security standards site at https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
  • Approved Scanning Vendors (ASV) – Vendors authorized to provide security scanning services in compliance with PCI standards.  Typically ASVs are security solution providers that provide scanning services in addition to other general services.  A current list of ASVs can be found on the PCI security standards site at https://www.pcisecuritystandards.org/pdfs/asv_report.html
  • PCI Security Standards Council – a forum created by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.  Visit their website at:  www.pcisecuritystandards.org
  • PCI Data Security Standards (PCI DSS) – a set of requirements for enhancing payment account data security developed by the PCI Security Standards Council to help facilitate the broad adoption of consistent data security measures on a global basis

The simple explanation of why PCI security standards were created is that it was a response to credit card fraud.  The card brands realized that if they did not proactively engage in measures to secure credit card holder data that fraud and theft would either destroy their industry or require the government to establish guidelines for them.

Every merchant that signs up with a processor to accept credit card payments from their customers must agree not only to the terms and conditions of the processing company but ultimately to the terms and conditions of the card brands as well.  This puts the merchants in a position where they are compelled to follow the PCI Compliance procedures set forth by the PCI Council and implemented by the QSA’s on behalf of the processing companies.  PCI Compliance entails the equipment that you use to take card payments, the system or network that the equipment is connected to, how you handle credit card information, as well as the processes you use to reduce the chances of credit card fraud at your business.

The data security standards required of every participant in the process are summarized by the PCI Council in the following principles:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Test and Monitor Networks
  • Maintain an Information Security Policy

In subsequent editions of the PCI Compliance Series, we will work to help you better understand what is required and why you should pay attention to these issues.

If you have any questions regarding PCI Compliance, please don’t hesitate to leave a comment or email me directly at takingcards@gmail.com

Thank you,

Ben Wallace

2 Comments | PCI Compliance 101 | Tagged: , , , , , , | Permalink
Posted by Ben Wallace

Follow

Get every new post delivered to your Inbox.