PCI Compliance is of key importance for anyone who carries on business activities online; in fact, PCI compliance is mandatory for such businesses.
What is PCI Compliance?
PCI compliance refers to complying to PCI DSS (Payment Card Industry Data Security Standards), the set of standards for companies (of any size) that accept card transactions. Thus, for any company that accepts card-based transactions and stores cardholder data as part of the transactions, it’s always good to secure data by being PCI compliant. The objective is to protect sensitive consumer information, including credit card numbers and other credentials. It was in December 2004 that these security standards were first set up; they have been regularly updated and now we have PCI DSS 3.2, which was released on April 28, 2016.
Every business that deals with card transactions must be PCI compliant. Failing to do so could lead to penalties and it would also do harm to the reputation of the business.
There are some basic, important facts about PCI compliance that needs to be understood well. Here’s a look at five of the most notable things that every entrepreneur dealing with card payment needs to know about PCI compliance…
The responsibility is yours!!!
If you run a business that handles card transactions (even if it’s just one card transaction), the responsibility is yours. It’s you who should ensure PCI compliance; you need to learn and understand the regulations and adhere to them. Similarly, it’s your responsibility to ensure the compliance of the vendors who provide your business with software/services. You are also responsible for the compliance of any company whose services you hire, like, for example, third-party companies whose services you hire to process card payments for your business.
It’s an ongoing process…
PCI compliance is an ongoing process. Today, when cyber-criminals are adapting to the latest of technologies and are changing their modes of operations very quickly, it becomes important for an entrepreneur to stay up-to-date and compliant at all times. Thus PCI DSS compliance becomes an ongoing process which is continuously updated.
The amount you run annually decides the level of security required
It’s based on the amount of money that you run annually that the level of security and compliance is decided. For merchants who process over 6 million transactions annually, it’s Level 1. They need to undergo quarterly network scan by an Approved Scanning Vendor (ASV) and Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). They should also undergo an internal report, penetration test, and Attestation of Compliance Form. Level 2 is for businesses that process about 1,000,000 to 6,000,000 transactions annually. They must do an annual Self-Assessment Quiz (PCI SAQ), on site assessment conducted by a PCI SSC-approved Qualified Security Assessor (QSA), quarterly network scan, attestation of Compliance Form, penetration testing etc. Level 3 is for merchants who process between 20,000 to 1,000,000 transactions annually and Level 4 is for merchants processing less than 20,000 transactions annually. They should conduct annual PCI SAQ, quarterly network scan, Attestation of Compliance Form, plus penetration testing or internal scan.
Multi-factor authentication must for system administrators accessing CDE
PCI DSS 3.2 has made multi-factor authentication a must for any system administrator who has access to a Cardholder Data Environment (CDE). Multi-factor authentication was already needed for remote access, now it is needed for any person with non-console administrative access to the systems handling card data. Organizations must comply with this by February 1, 2018.
PCI DSS 3.2 incorporates DESV criteria for service providers
PCI DSS 3.2 has incorporated DESV (Designated Entities Supplemental Validation) criteria for service providers, as per which they should fulfill the following requirements-
- They should demonstrate that they have a detection mechanism in place.
- They must conduct penetration tests on the segmentation of the network at least 2 times a year.
- They must run quarterly checks to ensure that their teams follow security policies and procedures.
- Their executives should demonstrate an understanding of PCI DSS.