If your business processes, retains, or transmits credit card information, you most likely know that you are expected to be PCI compliant. Any group that processes, retains, or transmits credit cardholder data is expected to be PCI compliant. Compliance is based on the PCI DSS (Payment Card Industry Data Security Standard) as developed by a security council of the major credit card brands. Regardless of merchant size, all businesses that process credit card payments must be PCI compliant. PCI compliance is important because it helps to prevent identity theft and fraud. Companies that are not compliant face hefty fines, particularly if customers’ credit card data is actually stolen. If your business’ credit card data is hacked, you must report it, which is not only incredibly expensive but can also be damaging to your business reputation.
Steps to PCI Compliance
There are twelve requirements included in the full PCI compliance standard, but the basic steps are to Assess, Remediate, and Report your payment card processing procedures and supporting IT assets.
Step 1: Assess
Identify the technological and procedural vulnerabilities around your firm’s credit card processing. The PCI DSS includes detailed requirements on firewalls, passwords, cardholder data storage, encryption, antivirus software, security patches, user IDs, network monitoring, yearly systems testing, and creating a consistent security policy. The PCI Security Council has created four Self-Assessment Questionnaires (SAQs) for different business situations; vendors who are not required to conduct on-site assessment may use this validation tool. Additionally, the Council has approved independent Scanning Vendors to perform vulnerability scans on your computer systems. While evaluating your company’s compliance, it will be helpful to track how customers’ credit card data flows through transactions, from data entry to checkout and data storage. Also, remember that third party vendors who contribute to your credit card processing must also be PCI compliant, so you will need to confirm their compliance certification as well.
Step 2: Remediate
Once you’re aware of weaknesses in your credit card systems, it’s time to fix vulnerabilities. These weaknesses may include software coding glitches, unsafe practices surrounding credit card transactions, and more. Remediation efforts are multifaceted, and may include software scanning tools, application of the SAQ process, prioritizing vulnerabilities from most to least serious, and double checking to guarantee that improvements were actually realized.
Step 3: Report
PCI compliance includes consistent reporting. Quarterly reports must be submitted to banking and payment brands, such as credit card companies. The PCI Security Standards Council (SSC) does not evaluate compliance directly; rather, it approves vendors to conduct off-site scans for small- to medium-sized businesses. Beyond SAQs, small and midsize firms must also provide annual Attestation showing that the correct self-assessment has been conducted. Larger businesses must conduct annual on-site assessments with a Qualified Security Assessor, as approved by the PCI SSC.
Achieving PCI compliance is one of the many merchant account services Bankcard Brokers offers to high risk businesses. Our PCI compliance suite includes hardware and software tools, 24-hour monitoring for fraud, disputes, and retrieval notifications via email and text alerts, and more. With decades of experience in this area, we can achieve higher levels of compliance quickly, assuring your business’ continued success. CONTACT US TODAY for a review of your PCI compliance.