top of page
This site was designed with the
.com
website builder. Create your website today.Start Now
PCI Compliance

 

What is PCI DSS Compliance?

 

"PCI DSS" stands for Payment Card Industry (PCI) Data Security Standard (DSS). It was developed by the major credit card companies (Visa, MasterCard, American Express, Discover and JCB) in 2004 as a guideline to help organizations that process card payments prevent credit card fraud, hacking and other various types of card security breaches. A company processing, storing or transmitting card numbers must be PCI DSS compliant or risk losing the ability to process credit cards payments. 

 

Merchants and Service Providers who process over 6M Visa transactions per year are required to have an on site audit by a Qualified Security Assessor (QSA). This only represents a small percentage of merchants accepting credit cards. All other merchants are required to complete an annual Self-Assessment Questionnaire (SAQ) and may be required to submit a compliant vulnerability scan on a quarterly basis.

 

Who has to comply?

 

The credit card companies have made it clear that any entity that stores, processes or transmits cardholder data regardless of their transaction volume, are required to comply with the PCI requirements. Failure to comply with the PCI security standards may result in substantial fines or permanent expulsion from card acceptance programs.  Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial websites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

 

How do I comply?

 

A completed Self-Assessment Questionnaire (SAQ) is required annually. There are four different Validation Types and you will choose the SAQ Validation Type based on the way you process credit cards. The number of questions you are required to complete will vary depending on the SAQ form - anywhere from 11-226 questions. Once the applicable SAQ is completed and you have met all of the requirements, including written security policies, procedures, employee handouts and training aids related to the secure handling and processing of credit card data, you will be able to access your Attestation of Compliance. Some merchants require a vulnerability scan depending on their SAQ type and the way they handle, process and/or store credit card data.  If a scan is required, you will need to submit a passing scan on a quarterly basis in addition to the annual SAQ completion.

 

What happens if I am breached?

 

Currently 44 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California's original law which was enacted in 2002. Companies who are breached typically have to immediately disclose the compromise to affected customers, usually in writing. Companies must also notify their processor who will then notify the bank. At that point the payment brand, processor or bank may initiate a forensic audit on the merchant to see if the merchant was in fact PCI DSS compliant at the time of the breach. Failure of the merchant to disclose a known breach would create the appearance that the merchant is involved in the breach. This situation could put the merchant in a possible criminal defense position by not disclosing or hiding the breach.

 

If the forensic audit concludes that the merchant was fully compliant at the time of the breach then the merchant has a reasonable defense and has shown proper diligence in their card acceptance procedures. If the audit shows that the merchant was not actually in compliance at the time of the breach, despite having previously submitted their compliance validation documentation, the merchant is then subject to large fines, penalties and actual damages as well as the possibility of losing their card acceptance privileges.  It would be challenging for a breached merchant to survive the financial burden and reputation damage resulting from a breach let alone survive as a business without their merchant account.

 

What do I do if I am compromised?

 

Visa publishes a 63 page document discussing the issue called Visa Fraud Control and Investigations Procedures.

 

Merchants cannot rely on their bank, processor or vendors to make them PCI compliant or even inform them of their responsibility. Merchant alone are responsible for their own compliance.

 

This Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. PCI Compliance is not optional and the penalties are high should your organization be breached or if your non-compliance becomes known to the card associations (Visa, MasterCard, American Express and Discover). Non-compliance puts your entire organization and your business at risk.

 

What you better know!

 

  • The problem affects older POS PED's which are not tamper-evident or tamper-resistant. Supplied by manufactures such as VeriFone, Ingenico and Hypercom.

  • Migration of the PED Security Requirements and the corresponding evaluation program from Visa, MasterCard and JCB to PCI SSC is in progress. The effective date of the PCI SSC PED Security Requirements will be July 2007.

  • Approvals for new deployments of pre-PCI approved POS PED's are set to expire as of December 31, 2007. 

  • Is there a sunset date by which these devices must be removed from deployment? Visa has set the deadline of July, 2010 for merchants to comply with the standard and remove older PED's.

 

bottom of page