According to the Payment Card Industry(PCI) Security Standards Council, the PCI Data Security Standards (DSS) are a “…set the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions.” Put simply, if your business handles credit card payments of any size or volume, then you must be PCI compliant.
What does that mean for your business?
Non-compliance can result in hefty monthly fees, credit card revocation, and even banks raising transaction costs or discontinuing business with you. If there is a data breach while you are non-compliant, then you could face even more fines.
How does a business become PCI compliant?
A business must complete an annual Self-Assessment Questionnaire (SAQ) and/or pass a quarterly PCI Security Scan. According to the PCI Security Standards, “All scans must be conducted by an ASV selected from the list of approved scanning vendors provided by the PCI Security Standards Council.”
If you wanted to try the SAQ, there are two components of the questionnaire:
A set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.
An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment. An appropriate Attestation will be packaged with the questionnaire that you select.
The PCI Security Council have a list of questionnaires specific to the ways you handle credit card information.
How can my business maintain PCI compliance?
By using a payment processor that utilizes data encryption and tokenization, you can ensure that data is protected at all stages of a transaction. This makes sure that credit card information is not stored in its original form. Tokenization creates a unique token that is used in transactions instead of the original credit card data. The PCI Security Council recommends not storing any sensitive credit card information on computers or paper. Utilizing a cloud-based payment gateway will store sensitive information off-site on PCI compliant servers.
PCI compliance is not easy for most businesses. The 2020 Verizon Payment Security Report identifies that “only 27.9% of surveyed organizations were able to achieve 100% compliance during their interim compliance validation.” The PCI Security Standards Council notes that “Forensic investigators have discovered that security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date.” Furthermore, the 2019 Verizon Payment Security Report stated “Despite good intentions, more than half of companies still struggle to design, implement and maintain a sustainable compliance program.”
To avoid all the heavy penalties when a data breach does occur, it is important to regularly maintain your PCI compliance, not just once a year. Gremlin Control can establish, manage, and maintain your PCI DSS to make sure you are compliant from day one.