We Take PCI Compliance Seriously: Here’s Why That Matters
If your organization touches money, you’ve probably heard of PCI compliance. But what does it actually mean, and how can it affect your business? PCI compliance is vital for any business that processes credit card or debit card transactions. Though compliance may feel like an onerous task, it’s actually an essential tool to help safeguard your customers and your business.
What Does PCI Compliance Mean?
Though PCI DSS (Payment Card Industry Data Security Standards) has been in place since 2006, there are still a lot of companies and other organizations that don’t really understand what the standards are and what steps they need to take to ensure compliance.
Unfortunately, many organizations don’t even know if they need to be PCI compliant.
Does My Organization Need to be Compliant?
There is a persistent myth that small businesses don’t need to be PCI compliant. However, any company that allows customers to pay for their goods or services with credit cards or debit cards needs to adhere to the PCI DSS standards. Depending on how many transactions you process each year, there are different compliance standards your organization needs to meet.
Levels of PCI Compliance
PCI compliance standards are broken down into 4 levels:
Level 1: Merchants processing over 6 million card transactions per year.
Level 2: Merchants processing 1 to 6 million transactions per year.
Level 3: Merchants handling 20,000 to 1 million transactions per year.
Level 4: Merchants handling fewer than 20,000 transactions per year.
Depending on what level your business falls under, there are different steps you need to take to comply with and prove you comply with these standards. There are many requirements that organizations need to meet to be considered compliant, including security measures, management requirements, policies, and network designs. These requirements are designed to ensure that all credit and debit card transactions are processed securely and that records of those transactions are also secure.
PCI Compliance Requirements
PCI compliance rests on 12 overarching requirements:
- Install and maintain a firewall configuration that can protect cardholder data
- Not using default security parameters, including vendor-provided default system passwords.
- Protect cardholder data.
- Ensure that the transmission of all cardholder data over open, public networks is encrypted.
- Use anti-virus software or programs and keep them up to date.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data to other businesses on a need-to-know basis.
- Ensure each person with computer access is assigned a unique ID.
- Ensure physical access to cardholder data is restricted.
- Track and monitor all access to cardholder data and to network resources.
- Ensure security systems and processes are tested regularly.
- Maintain a policy that addresses information security for all personnel.
PCI Compliance Self Assessments
To many small business owners, PCI compliance seems like a lot of work and expense for nothing. However, ensuring your company is PCI compliant doesn’t need to be expensive or complicated. Ensuring compliance doesn’t mean you need to spend tens of thousands of dollars on the newest and greatest security products, support a full in-house security team and pay an outside auditor to come and check that you’re compliant.
Organizations that fall under levels 2, 3, and 4 (those that process less than 6 million transactions per year), you can fill out a Self Assessment Questionnaire (SAQ) to attest to the fact that you are adhering to the requirements set out by PCI DSS. An SAQ doesn’t need to be verified by an auditor, but that doesn’t mean it shouldn’t be taken seriously.
If a breach does occur and it comes to light that you weren’t entirely truthful on your SAQ and are found to be negligible with your security, then your organization could face fines, reputational damage, and even loss of business. As such, the SAQ should be answered truthfully, and any gaps that arise in your cybersecurity posture that could keep you from being fully compliant should be addressed as soon as possible.
What Happens to Organizations That Aren’t Compliant?
Not only does failing to comply with PCI DSS standards leave an organization vulnerable to breaches or other malicious activities, but it can also lead to a tarnished reputation, hefty fines, and lost business.
Businesses that are found to be non-compliant may also discover that their bank or credit card holder now refuses to do business with them since doing so could leave them vulnerable. Significant fines, particularly those incurred by organizations that experience breaches and are found negligible, have the potential to cripple a small business, and reputational damages can be permanent.
A Useful Tool, Not an Onerous Task
Compliance may feel like an arduous task your organization has to complete to satisfy some bureaucrat. However, in reality, it is a useful tool for self-reflection that can help you identify problems that could harm your clients or damage your business. Being PCI compliant is also a great way to show your customers that you care about them and are willing to work hard to safeguard their financial data.
Being PCI compliant doesn’t mean that your business is entirely secure and that you will never experience a breach. All PCI DSS asks is that you take reasonable steps to protect cardholder data.
How Can I Find Out if my Organization is Compliant?
While an honest self-assessment can help you determine if you’re on the right track, the only way to really know if your organization is compliant is to have a third-party attest to your compliance. This could mean that you have an auditor come onsight, or you decide to work with a service provider who specializes in PCI compliance.
Vetting Your Service Provider
The first thing you should do when considering a service provider who specializes in PCI compliance is ask them if they are compliant themselves. After all, you wouldn’t eat at a restaurant the restaurant’s staff refuses to eat at, or get your hair cut by someone who looks like their own hair lost a fight with a weed whacker. How can you expect a service provider to take the necessary steps to safeguard your customer’s data if they can’t be bothered to invest the time and effort to ensure compliance for themselves?
If they say they are compliant, make sure you verify by asking to see their Attestation of Compliance (AOC) document. You should also ask them about what sort of PCI compliance experts they have on staff, including whether or not they have any PCI certified employees on staff, such as PCIPs (Payment Card Industry Professionals) or QSAs (Qualified Security Assessors).
What Steps Does Cerdant Take to Ensure Its Clients are PCI Compliant?
At Cerdant, we’re very hands-on when it comes to our clients and PCI compliance. To help us get a solid grasp on the situation, we begin by gathering information on where the customer has been, currently is, and is trying to go when it comes to PCI compliance. Based on that initial assessment, we can work with the client to identify gaps and provide suggestions.
However, there are a few things every organization should be doing to help ensure PCI compliance. These include starting with a great network design and architecture, which can do things like isolate Point-of-Sale (POS) terminals such as credit card machines on their own internal network segment, drastically reducing the scope for compliance.
Once the scope has been reduced (since only that segment of the network needs to meet PCI DSS standards), we work with the client to ensure that all proper policies and procedures are in place for this portion of the network, called the Cardholder Data Environment (CDE) network. Once the network is segmented, Cerdant will help the client tighten their security posture on this network.
Cerdant also helps clients ensure they are adhering to the quarterly ASV (Approved Scan Vendor) scans that are necessary to ensure PCI compliance for companies. Since Cerdant is a level 1 service provider, we can provide all our clients with AOCs that they can present to auditors if required. We are also able to help level 2, 3, and 4 businesses with their SAQs and answer any questions they have about the document or steps they need to ensure compliance.
How P2P Encryption Can Help Make Compliance Easier
P2P (Point to Point) encryption and other certified technologies have made it easier than ever for businesses to ensure PCI compliance. When used correctly, these technologies can drastically reduce the scope of compliance, sometimes down to the point that only the individual terminals need to be covered, making compliance more manageable.
A Layered Approach
Just like most technology and cybersecurity, a layered approach is the best way to ensure strict adherence to PCI DSS standards. A robust network design, paired with proper policies and procedures, layered with new, carefully vetted technology, can produce a winning formula for both PCI compliance and an improved cybersecurity posture. For years, Cerdant has been the go-to partner for businesses, both large and small, who require help attaining or maintaining PCI compliance.