Payment Card Industry (PCI) compliance keeps cardholder data safe. These sets of regulations also keep businesses safe by preventing fraud.
PCI compliance reduces data breaches and stolen data. However, there are consequences for businesses that fail to be compliant under PCI standards. Noncompliant merchants can face hefty fines when cardholder data gets stolen.
What is PCI Compliance?
The top card brands including Visa and Mastercard created the PCI Standards Security Council in 2006. The PCI SSC continues to govern PCI compliance. They work independently from card brands and banks.
Payment brands and acquiring banks are responsible for enforcing PCI compliance as they work directly with merchants.
The goal of PCI compliance is to ensure businesses can safely handle, transfer, and process cardholder information. It also holds merchants accountable for any data breaches that compromise customers’ information.
PCI compliance covers best practices for securing cardholder and transaction data. This includes software and passwords.
How Do I Be PCI Compliant?
Your acquiring bank will have requirements on how often you have to submit for PCI compliance. This keeps you PCI certified.
Your merchant level also determines how you’re certified. Levels are separated by transaction loads. Other factors such as a history of fraud can affect the type of level a merchant is under.
Most merchants can stay PCI compliant by completing a self-assessment every year. However, merchants such as high-risk ones may need a third-party evaluation to stay in compliance.
Identifying your business’s level according to credit card brands’ evaluation is one of the first steps in staying PCI compliant. All merchants are required to quarterly network scans by Approved Scan Vendors (ASV).
Visa and Mastercard list 4 levels in which merchants can fall under.
- Level 1 Merchants must complete a Report on Compliance (ROC). Level 1 includes merchants with a history of Account Data Compromise (ADC) and more than six million annual transactions. Sometimes, credit card brands may decide that a merchant falls into this level for separate reasons.
- Level 2 Merchants are those that have more than one million transactions but less than six million.
- Level 3 Merchants process between 20,000 to one million transactions.
- Level 4 Merchants process less than 20,000 transactions.
Mastercard notes that merchants that fall under Visa’s levels are most likely the same level under Mastercard’s standards.
PCI 12 Requirements
PCI’s 12 requirements are categorized under 6 main goals:
- Create a Secure Network
- Protect Cardholder Data
- Vulnerability Management
- Strong Access Control
- Monitor and Test
- Information Security Policy
Under these goals fall an inclusive list of requirements:
- Firewall – Firewalls monitor network traffic and act as a security measure to protect private information and databases.
- No vendor-supplied defaults – Merchants should change default passwords and settings to deter hacking.
- Properly store cardholder data – Cardholder data should only be stored when necessary and to be protected both physically and digitally.
- Encrypt cardholder data – Cardholder data being transmitted should be encrypted which makes it unreadable by third-parties.
- Anti-malware software – Install and update softwares and programs that target viruses and malware to further protect private information.
- Secure systems – Security patches can be used to deter data access.
- Restrict data access – Only authorized personnel should be able to access cardholder data.
- Monitor access – Be able to track access by monitoring each authorized person’s activity.
- Restrict physical access – Protocols such as enforcing ID badges to enter areas with physical data further protects data.
- Test security – Routinely check and update security measures.
- Information security protocol – Have a clear policy for all personnel to comply to.
The PCI DSS outlines each of these requirements in detail. Additionally, Revitpay is here to help your business stay PCI compliant. Contact us today to find out how we can help you.