Orbis Payment Services

PCI Compliance

PCI Compliance

Payment Card Industry (PCI) Data Security Standards (PCI DSS) are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. The Council is responsible for managing the PCI DSS, while compliance with the PCI DSS is enforced by the founding members of the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The PCI DSS applies to all organizations that store, process or transmit cardholder data. EVERY business that accepts card payments and stores, processes or transmits payment card data MUST MEET the PCI DSS.

PCI compliance is no longer a suggestion—it’s a necessary evil if you accept credit cards. According to the Federal Trade Commission, as of 2008, nearly one-fourth of all identify theft cases involved a credit card. Reports of data theft are rampant, including a recent case involving 130 million credit and debit card numbers. Now, more than ever, you need to reassure your customers you’re taking every precaution when it comes to securing their personal information.

PCI Compliance: Frequently Asked Questions

How does PCI compliance affect my business?

If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.

Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor.

My annual sales are very small. Do I still have to comply with PCI?

Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.

How do I know if my business is PCI compliant?

Do you store, transmit or process credit card data? If the answer is yes, then you are required to fill out a self-assessment questionnaire to demonstrate PCI compliance. You may be required to perform other work to demonstrate compliance depending on your merchant level.

If you do not store, transmit or process credit card data, but do accept credit cards through a payment gateway or merchant account provider, then you should validate whether your providers are PCI compliant.

What happens if my business is not PCI compliant?

If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you’re protecting their credit card data appropriately.

If my business is PCI compliant, does it reduce my insurance liability?

Generally, no. If you’re not compliant and experience a breach, however, you can be open to legal action from the affected customers.

Here are the most common PCI compliance myths:

PCI compliance doesn’t apply to me. Do you accept credit cards? Then PCI compliance applies to you. The five major payment brands have collectively adopted PCI DSS as the requirement for any organization that processes, stores or transmits cardholder data. This includes home-based businesses—and these may be the most vulnerable because they are typically not well protected, owners often have broadband connections that are always “on,” and many use chat functions. In hacker-speak, that spells prime target.
I only process a small number of transactions, so it’s not necessary. All merchants that accept cards, regardless of company size or number of transactions, need to be PCI compliant.
I only display the last four digits of the account number, so I’m compliant. There are 12 requirements that define a basic level of security. Doing some, or none, simply won’t fly. One-hundred percent is required for compliance.
I completed the questionnaire and scan (if applicable), so I’m done. Beware of one-time, band-aid solutions, such as a free scan. Scans are required quarterly. Plus, many services don’t include the Self-Assessment Questionnaire (SAQ), which is a requirement for all merchants.
Breaches only happen to large retailers. While it may seem that way based on media coverage, the reality is that small-to medium-size merchants are more frequent targets. In general, these merchants are also more vulnerable since most have less sophisticated technology and security measures. And remember, you not only face external threats from hackers, but internal ones in regard to employees that obtain files they shouldn’t.

What if I Don’t Comply?

For starters, look out for a $19.95 monthly fine for every month you don’t comply. If fined, chances are great the bank will either terminate your relationship or increase transaction fees. Card replacement fees range from $50 to $90 per card. You can also expect costly remediation if a breach occurs while you are not compliant. Brand and reputation damage are difficult to measure, but can devastate a small business. Suffice it to say, the penalties can be catastrophic.

Can I Do it Myself?

Achieving compliance isn’t some kind of super-human feat; unfortunately, the volumes of information (and misinformation) you must sort through can make it feel like one. Can you do it yourself? Sure. But a better question is how much time you’re willing (and can afford) to spend sorting through 10-pound documents and making phone calls to multiple vendors.

Google “PCI compliance” and you’ll get almost 2 million search results. And, unfortunately, you don’t have a lot of time to sift through all of that data—technically, you’ve already missed the first deadline for compliance.

Plus, PCI compliance is an on-going process that requires managing your SAQ and scan deadlines, and keeping up with changing regulations. And, any location with a unique merchant ID must comply as a separate entity—so, if you own multiple locations, the time can really add up. According to reports from Kark and Forrester Research, compliance is constantly changing and “if you are compliant today, it doesn’t necessarily mean you will be compliant tomorrow.”

The moral of the story is that PCI compliance is real, and will evolve to keep up with the evil lurking in the hearts of relentless hackers. That’s as good an argument as any for finding a trusted partner such as Security Metrics that is willing to scan your network in a single keystroke to keep you and your customers safe today—and tomorrow.

Here’s a breakdown of 4 Merchant Levels, and what is required for PCI DSS Compliance for each level:

Level 1 is any merchant that does over 6,000,000 transactions a year. Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth Report On Compliance for you. Quarterly PCI Scans are also required.

Level 2 is any merchant that does between 1,000,000 and 6,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required. Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don’t keep certain types of credit card information on file.

Level 3 is any merchant that does between 20,000 and 1,000,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required.

Level 4 is any merchant that does between 1 and 20,000 transactions a year. In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionnaire (SAQ) instead. Quarterly PCI Scans are also required.

As you can see, the requirements for Levels 2-4 are all basically the same (except the extra form for Level 2). For all three levels, you essentially need to get quarterly PCI Scans performed by an Approved Scanning Vendor (ASV), and you also need to complete an annual Self-Assessment Questionnaire (SAQ). Additionally, you may be able to simplify the process if your business doesn’t store any credit cards on your server. If you store your credit cards with your Payment Gateway Provider like Authorize.net, LinkPoint, Paypal, etc., the SAQ is a breeze. If you store credit cards on your own server, then the SAQ gets much more complicated.

Once you’ve completed your PCI Scan and SAQ, then you’re ready to submit these documents to your acquirer. If you’re a Level 4 merchant, depending on your acquirer and when you signed up, you may be able to have the quarterly scan requirement waived (due to certain PCI grandfather clauses), although with the new PCI 1.2 standards implemented on October 1st, 2008 for all new merchants, more and more acquirers are requiring quarterly scans.