Getting started with the PCI Data Security Standard

PCI security for merchants is the vital result of applying the information security best practices in the PCI DSS. The standard includes 12 requirements for any business that stores, process or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.

To Assess is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. To Remediate is the process of fixing those vulnerabilities. To Report entails compiling records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements.

Why Comply with PCI Security Standards?

Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences.

  • Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information.
  • Compliance improves your reputation with acquirers and payment brands – the partners you need in order to do business.
  • Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data not just today, but in the future.
  • But if you are not compliant, account data breaches can lead to catastrophic loss of sales, relationships and standing in your community.
  • Possible negative consequences also include:

    - Lawsuits
    - Insurance claims
    - Cancelled accounts
    - Payment card issuer fines
    - Government fines

WHY SECURE? – PCI DSS for Small Merchants

More than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005. Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants.

As a small merchant, you face the potential of many negative forces from a breach of cardholder data:
  • Fines and penalties
  • Termination of ability to accept payment cards
  • Loss sales
  • Cost of reissuing new payment cards
  • Legal cost, settlements and judgments
  • Fraud losses
  • Higher subsequent cost of compliance
  • Going out of business

What data thieves are after: The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.

Sensitive cardholder data can be stolen from many places:
  • Compromised card reader
  • Paper stored in a filing cabinet
  • Data in a payment system database
  • Hidden camera recording entry of authentication data
  • Secret tap into your store’s wireless or wired network

WHAT TO SECURE? – Focus on protecting cardholder data under your control

Merchant are responsible for protecting cardholder data at the point of sale, and as it flows into the payment system. The best step you can take is to not store any cardholder data. Compliance with the PCI standard includes protecting:
  • Card readers
  • Point of sale systems
  • Store networks & wireless access routers
  • Payment card data storage and transmission
  • Payment card data stored in paper-based records

HOW TO SECURE? – Evaluate with a Self-Assessment Questionnaire plus PCI ongoing 3-steps process

Most small merchants can use a self-validation tool to assess security for cardholder data. The tool includes a short list of yes-or-no questions for compliance. Click on the Self-Assessment Questionnaire number that best describes how merchant accept payment cards.

SAQ How do you accept payment cards?
A Card-not-present (e-commerce or mail-order/telephone-order) merchants, all cardholder data functions outsources. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.

PCI: Ongoing 3-Step process

  • Assess:
    Identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.

  • Remediate:
    Fixing vulnerabilities and not storing cardholder data unless you need it.

  • Report:
    Compiling and submitting required reports to the acquiring bank and card brands you do business with.