PCI-DSS stands for Payment Card Industry Data Security Standard. This standard imposes rules for how to secure credit and debit card information. Moreover, it defines security policies, procedures, and requirements for card processing organisations. Established in 2006, it is a joint effort by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to increase the protection of customer data.
The aforementioned policies and requirements cover all aspects of storing, processing or transmitting card data, including front-end (checkout) and back-end (payment processing) systems where sensitive data can be at risk. The goal of PCI-DSS is to encourage companies in the development and use of safer methods for handling sensitive payment information. PCI DSS applies to every organisation that accepts, transmits or stores any cardholder data. It doesn't matter if they're small or large, or if their transaction volume is low.
What is the PCI Security Standards Council?
Have you heard of the PCI Security Standards Council (SCC)? PCI SSC is a body that sets the security standards for card-holder data. They provide comprehensive standards that help businesses ensure the security of card-holder information at all times. This includes specifications, tools, measurements, and support resources to help organisations comply with the standards. The standards also help provide a framework for preventing security incidents from happening, detecting them as they happen, and reacting appropriately.
PCI SSC has many different tools and resources available for businesses striving to be compliant:
- The Payment Application Data Security Standard (PA-DSS) has a list of Validated Payment Applications (VPA) to help software vendors and others develop secure payment applications.
- Self-Assessment Questionnaires (SAQs) are a way to help organisations verify their PCI compliance. The SAQs allow organisations to review their processes and make sure they are in compliance with the standards set and identify any potential vulnerabilities.
- The PIN Transaction Security (PTS) requirement ensures that vendors and manufacturers of devices validate the conformance of their payment devices to the PCI PTS standard. The Council urges merchants to use payment terminals that have been approved by them. A list of approved devices can be found on the PIN Transaction Security page.
PCI DSS Compliance levels
PCI compliance requires a business to take many important steps in order to remain compliant. The level of compliance is determined by the number of credit and debit card transactions that a company processes each year.
- Level 1: You are a merchant that processes more than six million credit or debit card transactions each year. If that is the case, you are required to go through an internal audit once a year. In addition, once a quarter you must submit a PCI scan by an Approved Scanning Vendor (ASV).
- Level 2: If you process between one and six million transactions annually, you are required to complete an assessment once every year. Additionally, you could be required to complete a PCI scan quarterly.
- Level 3: If you're a merchant who processes between 20,000 and one million transactions annually, you have to complete an annual assessment. You may also be required to do a quarterly PCI scan.
- Level 4: If your business is processing less than 20,000 transactions annually, a yearly assessment must be completed. A monthly PCI scan may be required.
PCI DSS requirements
The PCI Security Standards Council outlines 12 requirements for the handling of cardholder data and maintaining a secure network. There are six broader goals that enterprises must adhere to in order to become compliant with these standards.
- You should have a firewall installed and maintained
- The system password should be original and not the one that was created by the vendor.
Secure cardholder data
- Your customer's credit card details must be protected.
- It is imperative that cardholder data is encrypted when being transferred across a public network.
- Anti-virus software is essential and must be used and updated on all devices in the network.
- Secure systems and applications must be developed and maintained to protect against external threats, internal misuse, and operational failures.
- Data security is a two-way street. To accommodate the needs of both parties, cardholder data is restricted to a "need to know" basis.
- Every person who uses a computer should be assigned a unique ID.
- Employees must not have physical access to cardholder data
Network monitoring and testing
- In order to protect cardholder data and network resources, these must be monitored.
- Security systems and processes must be regularly tested. This not only assures that your company is finding potential issues, but also gives you a chance to find any improvements.
- You need to maintain a policy that deals with information security.
What if companies don’t comply with PCI standards?
The PCI SSC is not a government-regulated entity. However, it may take punitive actions against a company for not complying with its standards. The primary consequence of compliance failure is a monetary fine, which can cause legal fees, banking fines, and federal audits.
The financial cost of not complying with PCI standards could cost a company around $500,000 and up. The negative implications for not complying with these regulations are not just financial. Not complying may mean the loss of trust from major banking institutions, your third-party partners, and most importantly - your customers.
Intergiro can help with PCI DSS Compliance
Intergiro achieved the coveted Level 1 Service Provider certification with success in 2019. If you're not PCI compliant yet, we want to help! Our API-based card programme lets you offer cards and accounts for your customers without having to go through the same pain as we did. We've achieved Level 1 certification and our API-based cards programme is easy to integrate. Get in touch to learn more about Intergiro and our Banking as a Service solutions.