Swipe Right by Complying with PCI DSS

If your business accepts credit card payments, you may be required to meet the Payment Card Industry Data Security Standards, commonly known as PCI DSS. Meeting the needs of this standard can be a somewhat non-intuitive process, and the latest Verizon Payment Security Report backs this up, stating that less than 28% of global organizations maintained full compliance with the PCI DSS. To help you cut through some of the complexity and confusion, the following frequently asked questions (FAQs) have been created to help guide you through the compliance labyrinth.

What is PCI DSS?

• PCI DSS is a collection of security standards that were developed to ensure that businesses accepting, storing, processing, or transmitting payment card information maintain a secure environment.

Who created and administers PCI DSS?

• The standard is administered by the Payment Card Industry Security Standards Council (PCI SSC), an independent organization that was established by the major payment card brands (MasterCard, Visa, American Express, Discover, and JCB).
  

Why was PCI DSS established?

• The mission of PCI DSS is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.

Who needs to be compliant with PCI DSS?

• Compliance is required by any business that accepts, stores, or transmits cardholder data. Note: certain payment solutions process your transactions using their merchant ID (MID) instead of yours and may be an exception to this rule.

What are the benefits of being compliant with PCI DSS?

• By meeting the standard, the risk of a cardholder data breach will be reduced. Additionally, compliance will increase additional trust with clients while enhancing your reputation for valuing data security.

Where can I obtain a copy of the standard?

• A copy of the latest version (3.2.1) of the PCI DSS standard can be found on the official PCI website: https://www.pcisecuritystandards.org/document_library.

Is there a new version of PCI DSS coming out soon?

• Yes. Version 4.0 of the PCI DSS is currently going through a request for comments (RFC) process and is nearing release. While the publication date of PCI DSS v4.0 is still being determined, the promise of an impending release should not dissuade businesses from using the current standard. According to the PCI SSC, a transition period to support migration from PCI DSS v3.2.1 to v4.0 will be provided, as well as time to meet any new future-dated requirements.

Who enforces PCI DSS?

• Payment brands and acquirers are responsible for enforcing compliance.

What are the penalties for non-compliance?

• The payment brands may penalize an acquiring bank upwards of tens of thousands per month for compliance violations, which eventually travel downstream until it hits your business. In addition to the fines, your acquiring bank can terminate your relationship or expand transaction fees.

What do I need to do to achieve compliance?

• Depending on the volume of transactions your business processes, it will be assigned a Merchant Level, ranging from Level 1 (these are typically larger companies with millions of transactions) to Level 4 (the vast majority of small and mid-sized businesses). Assuming your business falls into the Level 4 merchant category, the next step is to complete a self-assessment questionnaire to validate compliance on an annual basis.

What self-assessment questionnaire (SAQ) do I need to complete for my business?

• The appropriate SAQ is based on how you accept transactions (e.g., via your website, through a POS system, on-premise swipe devices, etc.). There are several versions of the SAQ that align to how your business handles transactions. For example, if your business has an e-commerce webpage and payments are accepted and processed from a third-party PCI-validated service provider, you would be required to complete an SAQ A. This questionnaire consists of a small number of questions and does not require scanning or penetration testing. The SAQ D, for example, covers businesses that are accepting credit card payments and subsequently electronically storing the cardholder data. This questionnaire has hundreds of additional questions and also requires quarterly scans and penetration testing.

What type of questions are on an SAQ?

• The questions are classified according to the 12 requirements of the data security standard. These requirements include protecting your system with firewalls, configuring passwords and settings, protecting stored cardholder data, encrypting transmission of cardholder data across open, public networks, using and regularly updating anti-virus software, regularly updating and patching systems, restricting access to cardholder data, assigning a unique ID to each person with computer access, restricting physical access to workplace and cardholder data, implementing logging and log management, conducting vulnerability scans and penetration tests, and documentation and risk assessments. Depending on the SAQ you are completing, you may not need to answer questions from each of the 12 requirements.

What are some helpful tips during the PCI compliance process?

• The compliance process is not a “get it and forget it” process. Once compliance is achieved, implement a plan to sustain compliance throughout the year.
• Where possible, minimize the number of ways you process credit card transactions and avoid storing cardholder data.
• Compliance is a complete team effort and not just an IT responsibility. When developing policies and procedures, be sure to involve each department that handles cardholder data.
• Training is essential to reducing the risk of compromise, so all applicable employees should receive guidance related to securing cardholder data.
• Have an incident response plan in place in the event cardholder data is compromised. Knowing what steps to take after an incident will greatly expedite the response and recovery process.

If you need assistance with the compliance process, are there certified professionals who can provide help?

• Yes, Payment Card Industry Professional (PCIP) or Qualified Security Assessor (QSA) are the official credentials that prove a professional possesses the requisite knowledge and skill set.

To discuss how Citrin Cooperman can help your business become compliant with PCI DSS, contact Kevin Ricci at kricci@citrincooperman.com.