PCI Compliance and what it means for your online business
Payment Card Industry Data Security Standards, or PCI, have been buzzed about recently since more and more merchants are popping up online, but it is nothing new. The organization was formed in 2006 by major credit card companies like Visa, Mastercard and Discover, to name a few. This coalition was created to ensure that any and all merchants who process, store or transmit credit card information adhere to a standard of security for its customers. ATAK Interactive, Inc. shares some tips on how you can ensure your online business meets PCI standards and provides a safe shopping environment for your customers.
Business levels and where yours fits
PCI compliance standards depend on which level your business is rated. The levels, ranging from 1 through 4, are based on Visa transaction volume within the last 12 months, inclusive of credit, debit and pre-paid transactions. Most small to medium business owners will fall into Level 4, which is described as any merchant who processes less than 20,000 Visa transactions per year. Keep in mind that most Level 4 merchants will have to comply with the guidelines set by their merchant bank.
There are 12 basic PCI DSS requirements for any merchant. Here is the list:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Tips and general information on PCI compliance
The golden rule of PCI compliance is non-storage of information. This consists of sensitive authentication data, including contents of the magnetic strip, pin or CCV numbers, etc. and any cardholder data such as the name or expiration date. It is PCI compliant to store cardholder data if certain isolation and security measures are performed, but unless you absolutely need this information it’s best to do without it. If you use a POS (point of sale) system, your vendor will be the best source of information. Ask your vendor if the POS is validated to the Payment Application Data Security standards, if the software stores any customer information, and (unless you already know the answer from initial installation), whether you need to install a firewall or other security measures to ensure system protection.
Where do I start?
No merchant wants to be subject to loss of trust from their customers, fines and even litigation because of unsecure payments. Here are some steps you can take to make sure your business – and your customer – is safe.
1. Complete the Self-Assessment Questionnaire, or SAQ, produced by the PCI Standards Security Council. There are different questionnaires for various types of card transactions, but most online businesses will use only SAQ A, which is for “Card-not-present” transactions where you never come face-to-face with the customer. The SAQ can help you identify areas where you may need to improve your transaction security practices.
2. Seek help from professionals. The PCI Standards Security Council has an approved list of vendors that you can hire to evaluate the security of your system. Most small businesses will likely utilize a Payment Application Qualified Security Assessor (PA-QSA) to analyze their payment processes. You can find all qualified professionals here: https://www.pcisecuritystandards.org/approved_companies_providers/index.php
3. Ensure that any third parties that you work with are PCI compliant. Be aware that you can be liable for any third parties involved with your business.
Being certain that your e-commerce business is PCI compliant can save time, money and anxiety in the long run. ATAK Interactive, Inc. is dedicated to making your business safe, and will only recommend e-commerce merchants who practice PCI compliance to its clients. It’s an extra step to keep you protected in today’s virtual world.