Customer payment data is incredibly valuable – that’ why the bad guys are always trying to steal it. And when security is breached and a customer’s data is stolen, it can be a long and frustrating process for the customer to deal with. To ensure that consumers are as well insulated from that possibility as possible, and to ensure the maintenance of their own reputations and value of their brands, the major credit card companies introduced PCI DSS to ensure that all merchants who process credit card transactions are doing their part to keep things secure.
Every single merchant that accepts credit cards is required to comply with PCI DSS, and because the potential consequences of a data breach are so high for the end consumer, failure to comply with the standard is an expensive proposition. The fines for PCI non-compliance could potentially range from $5,000 to $100,000 per month, and those fines are passed through the acquiring bank and payment processor down to the merchant. So, it’s not an exaggeration to say that failure to comply with PCI DSS could potentially be a fatal mistake for many businesses.
What Does PCI Compliance Require?
There are four levels of PCI DSS compliance that apply based on a merchant’s Visa transaction volume and determine the stringency of compliance standards. Most small businesses fall into level three or four, and, generally, only businesses processing over six million transactions per year require level one compliance. But it’s important to note that Visa has the authority to decide at any time that any merchant must meet level one standards.
Regardless of the level and the details of compliance, the PCI standard is built around twelve pillars. To be compliant, a business must meet all twelve requirements, which are:
- Use and maintain firewalls to protect systems
- Use proper password discipline
- Protect any cardholder data that is stored
- Encrypt all transmitted data that includes cardholder information
- Use and update anti-virus software
- Properly maintain and update software
- Restrict cardholder data access to those who need it
- Require unique user IDs to all people with system access
- Restrict physical access to areas where servers with cardholder data are physically stored
- Utilize and maintain access logs for all users
- Scan systems for vulnerabilities and engage penetration testing
- Document security policies
How to Get (and Stay) Complaint
Once a business has determined its compliance level, they must then perform a self-assessment questionnaire (SAQ) provided by PCI. There are eight versions of the questionnaire that apply depending on how a company conducts business and processes payments, and the relevant questionnaire will help identify any weaknesses in compliance which must then be remedied. Once the questionnaire can be completed fully with no deficiencies, the business must submit it, along with a vulnerability scan and an attestation of compliance, to their merchant bank. Once those documents have been accepted, a business is deemed compliant. But the work isn’t over – it never is. To stay compliant, vulnerability scans must be conducted on a quarterly basis, and a new SAQ must be submitted each year.
If that sounds like a lot, it’s because it is. PCI compliance is not necessarily simple, but it is extremely important – both for the safety of customer data and the financial wellbeing of merchants. That means taking PCI DSS compliance seriously and ensuring the proper steps are taken is crucial to long-term success. At BAMS, we get that not every business has an in-house IT team. And because PCI compliance is a confusing, yet extremely important process, BAMS offers all of our merchants expert guidance on what they need to do to ensure they never have to worry about running afoul of the card companies or racking up major fines.
For more information on how BAMS can help your business become PCI compliant, please reach out to a member of the team.