With more than one billion credit cards used in the US, enabling this payment option to your customers is a great way to boost sales and grow your enterprise. However, with the increase of data breaches, merchants are more than ever obliged to protect cardholders’ information. When you understand what does PCI mean and how it affects your business, becoming compliant will be the only right choice.
As an entrepreneur, your goal is to have loyal customers that will feel safe and protected while doing business with you. That’s why you should know all the risks associated with cashless payments and how you can protect yourself and your clients.
What Does PCI Mean and Who Needs to Be Compliant?
PCI or Payment Card Industry compliance is a set of rules related to data security standards or DSS whose primary goal is to reduce credit and debit card losses. These norms are created and enforced by five major credit card associations, members of the Security Standard Council (SSC): Visa, MasterCard, Discover, American Express, and JCB.
This council is a global open body that provides the tools needed to implement every mandated standard. Basically, this means that merchants who accept plastic with the logo of the five council companies must follow the well-established rules. PCI rules are created to ensure a secure environment for cardholder’s information, and sticking to them will help you develop a trusting and reliable company brand.
PCI DSS refers to merchant and service providers that handle processes or transmit credit card data. The fact that approximately 40% of Americans are more likely to use plastic than cash on a purchase is a sure sign that society is slowly moving toward an entirely cashless paying environment. Additionally, almost 75% of consumers shop online, and acknowledging the need for high-level protection brings owners one step closer to a successful company. Take this into account when growing the enterprise because having a safe environment can only benefit you in the long run.
How to Protect Cardholder Data?
Protecting customers’ data is one of the main tasks when your company starts accepting plastic. There are some basic practices you can follow that include:
- Segmentation of your network – the more valuable the info, the more it should be separated from your everyday facts.
- Securing remote access – using authentication with multiple layers is a must.
- Installing a protection system – Implementing firewalls and detection/prevention systems is a step up in the protection.
- Complying with PCI DSS – these protocols cover all the basics, making your enterprise safe and cardholder information secure.
How Much Does It Cost to Be PCI Compliant?
The price of fees varies dramatically depending on many factors. It can go anywhere from $500 a year to over $50,000. Here are some of the variables that can affect the overall cost:
- The type of your business – each has a varying amount of cardholder info, risk levels, and environmental structure.
- The size of your organization – commonly, the larger organizations have more potential gaps. There are more employees, more computers, processes, which all result in a higher cost.
- Security culture – if protection is one of the top priorities, the management will invest in it, creating higher overall costs.
- Organizational environment – the design of the network, tech used, and types and numbers of systems, can also affect the cost.
Why Is Payment Security Important?
According to the World Economic Forum, cyber-attacks are among the top five risks to global stability. The breaches lead to compromised accounts, which will, without a doubt, affect your company and the entire payment card ecosystem.
Put emphasis on payment security because it can make or break your growing enterprise. Besides losing your customers’ trust, you will have to pay many fines and deal with legal charges. Verizon Data Breach Investigation Report shows that 58% of cyber attacks were aimed at small organizations with fewer than 250 employees. Also, recent stats show that almost 60% of small enterprises never reopened after the cyber attacks.
What Are the Costs of a Breach?
The worldwide number of web attacks blocked every day increased by approximately 56% between 2017 and 2018. Adding the fact that, on average, 4,800 websites monthly are compromised with formjacking code, the breach problems have never been more real and ongoing.
The longer the company waits to secure cardholder’s info, the higher the cost of the breach will be. Some enterprises choose to deal with fees instead of complying with standards, but they don’t realize how pricey the expenses can get.
After the breach, companies might face numerous types of financial loss that include:
- The forensic examination that could cost anywhere between $12,000 and $100,000
- Notification fines can be anywhere between $2,000 and $5,000
- Merchant processor compromise penalties are anywhere from $5,000 to $50,000
- Tech repairs, depending on the damage, can cost from $2,000 to $10,000
- QSA onsite evaluation after the breach is between $20,000 and $100,000
Additionally, there are legal fees and costs of civil litigations to think about. Lawyer fees sometimes can skyrocket your costs. Also, the Federal Trade Commission can sue the hacked company if it didn’t have the proper protection.
How to Become Compliant?
Growing a business is a strategic process filled with a lot of unknowns. However, obeying every protection standard should not be stressful nor complicated. Follow the PCI compliant guide through five steps, and you will be ready to go:
First things first, analyze compliance level and see where your company currently stands. This is a good time to check how you handle transactions and how much volume you can process.
Secondly, fill out a self-assessment questionnaire (SAQ). This guide book will walk you through different requirements and help you identify the missing parts of the payment security architecture. When you realize the shortcomings, it is time to take some necessary changes and improve the situation. When you are done, retake SAQ.
Thirdly, fill out a formal attestation of compliance or an AOC and qualify for assessor review.
And finally, when everything is done, you can file the paperwork with your banks and credit card processors. You just need to submit both SAQ and AOC and any additional paperwork that organizations ask.
What are the Consequences of Non-Compliance?
Non-Compliance fees are an expensive reminder to ensure your business becomes compliant. Some processors choose to charge them when businesses fail to show they meet all PCI-DSS requirements. These fees are monthly or annual charges imposed by processors, and they are mostly between $10 and $30, but they can go as high as $100 a month. If you want to get rid of this cost, the logical thing would be to start following the rules. Call your card processor and merchant service provider and ask how you can remove it.
What Are the PCI Data Security Standards?
DSS is the set of rules and guidelines that will help you protect the cardholder information as best as possible. Go to the official Security Council website, and you will find in detail everything you need to know about them. The rules are being updated continuously, giving the merchants clarifications on various requirements.
Benefits of PCI Data Security Standards
As an entrepreneur, you should be aware that being compliant is an investment with a long list of benefits. With improved protection, there is a lower risk of breaches. Customers will appreciate all the ways you are keeping their info safe. The trust between you will have a direct impact on the growth of your profit. You could benefit from loyal buyers since the eCommerce market is forecasted to rise to 4.9 trillion dollars by 2021, and having devoted clients means they can recommend your enterprise to others. Also, the most important thing – complying with the rules of means you will avoid high charges and fees imposed on those businesses that are not sticking to the rules.
How to Comply With DSS?
There are 12 general security requirements every merchant must meet to be DSS compliant. However, depending on the industry, there can be over 200 sub-requirements. You can check current ones on the official SSC website.
Comply with basic requirements by:
- Using and maintaining firewalls because they block access to unknown entities.
- Having proper password protection and avoiding the generic ones.
- Protecting cardholder data is a two-fold task because it must be encrypted with the algorithm and put into place with encryption keys.
- Encrypting the transmitted info is a must, and account numbers should never be sent to unknown locations.
- Using and maintaining anti-virus and that software should be put on all the devices that interact with store PAN.
- Keeping the software updated, because, in updates, another level of protection is added.
- Restricting access to a need-to-know basis. Those that don’t need access should not have it at all.
- Giving a unique ID for access. Employees should not have a group username, and password and the unique IDs create less vulnerability.
- Restricting physical access to the data that is kept on hard drives.
- Creating and maintaining access logs that will deal with all cardholder activities. One of the most common problems is a lack of record-keeping.
- Scanning and testing for vulnerabilities because many things can malfunction. With frequent testing, they can be spotted right on.
- Documenting policies will allow you to follow how the info flows into your enterprise, where it is kept, and its use after the sale.
What Are the Best Tools for Complying To DSS
There are many consequences of failing to meet DSS requirements that include the risk of high fines and the inability to take plastic. That’s why implementing tools can help with successful compliance. Some of the best ones are not only user friendly but also money efficient and sustainable:
- SolarWinds Event Manager
- SolarWinds Patch Manager
- Trend Micro Antivirus
- SolarWinds Access Rights Manager
- ManageEngine ADAudit Plus
PCI Compliance Levels Vary by Size and Cardmember Company
As a business owner, you should know that there are four merchant levels of compliance, and each of them has a slightly different list of requirements. Those are mainly determined by the number of transaction processes throughout the year. These levels are used to determine risk and work out the appropriate levels of protection for the company.
Merchant Level 1
The main criteria for this level is that merchants process more than six million MasterCard, Visa, or Discover transactions a year. Also, there should be more than 2.5 million American Express transactions and more than one million JCB. Those that have experienced cyberattacks that resulted in compromised data and the businesses that have been deemed by a card association can also be on level 1. When the criteria are met, the business should fulfill certain validation requirements:
- Performing quarterly network scan with the help of Approved Scan Vendor (ASV)
- Filling out Attestation of Compliance Form
- Providing an annual report on compliance (ROC), also known as an onsite assessment, by a Qualified Security Assessor or QSA.
Merchant Level 2
To be put in level 2, your company should be processing between one million and six million MasterCard or Visa transactions yearly through all channels. Also, there should be between 50,000 and two million sales using American Express, and less than a million JCB transactions. An Annual Self-Assessment Questionnaire or SAQ is one of the validation requirements, as well as quarterly network scan and validation of Compliance Form.
Merchant Level 3
Merchant lever 3 should process between $20,000 and a million dollars on Visa or MasterCard e-commerce transactions yearly. Also, yearly SAQ and a quarterly network scan by ASAV are mandatory validation requirements as well as attestation of compliance form.
Merchant Level 4
The main criteria this merchant level should meet is processing less than $20,000 on MasterCard or Visa e-commerce transactions yearly. Level 4 merchants should also meet some validation requirements: yearly SAQ, validation of compliance form, and quarterly network scan by Approved Scan Vendor.
How Does a Payment Provider Get Certified?
A payment service provider or PSP acts as the mediator between card brand networks, merchants, customers, and financial institutions to process electronic payments. They are essential to businesses that accept plastic, and that’s why every reliable PSP should be certified. Merchants that use services of uncertified providers can be charged with some serious fines. Class action lawsuits can be filed against them, and a fine up to $10,000 a month can be imposed, that’s why if you want to grow a successful company, you need a certified PSP.
Certification means that providers have to:
- Install a firewall and maintain it
- Avoid using vendor-supplied default parameters
- Protect the info
- Sensitive information should be encrypted
- Use anti-virus software and update it regularly
- Create and develop apps and secure systems
- Limit access on a need-to-know basis
- Every person with access should have a unique ID
- Physical access to information should be restricted
- All the info should be monitored and tracked
- Protection system and the process should be tested regularly
- An information protection policy should be maintained
How to Check If Your Provider Is Certified
When you are not sure if your provider is certified, there is a way you can check. Go on the official Visa website and find out. Their list shows each certified PSP; all you have to do is type a company name or a region of operation. The list also shows the assessor that conducted the audit, reviewed services, and the date of validation. If the validation documents are within one and 60 days upon expiry, that will be pointed out on the site.