Security & PCI Compliance

We Keep Your Data and Information Safe

What is PCI Compliance?

The Payment Card Industry (PCI) consists of all organizations that store, process or transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) is the governing body over the PCI and consists of the major card brands; Visa International, Mastercard Worldwide, Discover Financial Services, American Express, and Japan Credit Bureau (JCB).

Prior to the establishment of the PCI SSC, each major card brand established its own individual security standards in response to credit fraud in the late 1980’s and 1990’s. The growth of the internet and e­commerce capabilities in the early 2000’s resulted in an explosion of card fraud, which was a catalyst for the establishment of a unified approach to card data security by the major card brands. Thus, the PCI SSC was established on Sept 7, 2006. The standards that were put in place, known as PCI Compliance, are now required annually by all organizations involved in the handling, processing, management or storage of cardholder data.

Since 2006, the PCI SSC’s resulting Data Security Standards (PCI DSS) have assisted merchants globally with best practices to better secure customer cardholder data through annual updates to the PCI DSS. With each new iteration of the standards, the PCI SSC addresses changes in risks and technologies to ensure merchants are well equipped to handle all scenarios around data security risks that may affect them.

Why is PCI Compliance Important?

PCI Compliance is important to us all.
As data breaches increase each year, it is imperative that both merchants and customers perform due diligence to ensure they are not enabling cybercriminal activity. Data breaches result in increased global economic debt and the costs of doing business for everyone. For many Small and Medium-Sized Business (SMB) organizations, a data breach can mean the loss of revenue, brand reputation and in many cases, the loss of the business altogether due to all associated costs.

FACT:

3 out of 4
Data breaches involve SMB organizations

Meeting and maintaining PCI compliance standards for your organization will benefit you in many ways. Through the PCI compliance process your organization is better educated and equipped with a strong data security foundation. You will learn best practices (based on how you handle and process cardholder data) to ensure you are not an easy target for cybercriminals. Becoming PCI compliant demonstrates your commitment to protect your customers from identity theft and fraud. Perhaps more importantly, PCI compliance is a demonstration of your commitment as a business owner to protect your investments, hard work and brand reputation.

Getting Started

The steps to becoming PCI compliant begin with a willingness to learn, along with an understanding of what PCI compliance is and is not. PCI compliance is not a guarantee that you will never have a data breach, and it is not simply checking a couple of boxes on a few forms. PCI compliance is implementing layers of security that make it increasingly difficult for cybercriminals should they attempt to attack you.

To become PCI compliant you must follow these steps:

  • Communicate clearly with your acquiring bank to understand specific deadlines for compliance and required reporting processes.
  • Understand all of the ways your organization interacts with cardholder data. For example, how does your organization handle and process credit cards? Are you storing credit card information?
  • Gather contact information for all of your third­ parties that are involved in the handling, processing, or storage of your customer’s cardholder data. This may include POS vendors, web hosts, data centers, etc.
  • Understand how many individual credit card transactions your organization processes annually (per card brand) and what merchant level your organization falls under. Information along with your methods of interacting with cardholder data help determine what requirements you will need to validate for compliance.
  • Contact Protocol to provide a thorough review of your PCI compliance needs.

Frequently Asked Questions

PCI FAQS

Where do I log-in to complete my PCI Compliance Validation?

You can log in to PCI Toolkit to complete your PCI Compliance Validation.

What is PCI compliance?

PCI compliance is an annual security validation requirement for all organizations involved in handling, processing, or storage of cardholder data.

Who does PCI compliance apply to?

PCI Compliance applies to all organizations involved in the handling, processing or storage of cardholder data.

Where can I find more information about PCI DSS?

More information is available through the PCI SSC’s website which you can visit here:

pcisecuritystandards.org/pci_security

How do I determine what requirements apply to my organization?

More information about PCI compliance is available by visiting the PCI’s website here: https://www.pcisecuritystandards.org/pci_security/. It is important that you speak with a PCI authorized security organization, such as Protocol, who can provide a more detailed assessment of your organization’s overall data security needs.

Why is PCI compliance important?

By becoming PCI compliant, organizations create layers of security, making it more difficult for cybercriminals to take advantage of them. Merchants owe it to their customers and themselves to ensure safety of their data.

How long has PCI DSS been around?

PCI DSS requirements have been in existence since 2006.

How do I know if a data security organization is qualified to help my organization with PCI compliance?

PCI SSC maintains a database of organizations authorized to help organizations with PCI compliance such as Protocol.

What happens if I choose to not comply with PCI DSS?

Failure to comply with PCI DSS may result in monthly fines from your acquiring bank, and more importantly, your organization and your customers are at risk by failing to secure sensitive data through non-compliance.

What are merchant levels?

All merchants fall into one of four merchant levels designated by the specific card brands, based on the number of individual card transactions over a 12­-month period.

What do the terms SAQ, QSA, ISA mean?

1. SAQ (Self­ Assessment Questionnaire) merchants that qualify for self-assessing their annual PCI compliance can use the specific SAQ that matches their credit card handling, processing and storage methods.

2. QSA/ISA (Qualified Security Assessor/ Internal Security Assessor) merchants that do not qualify for self­-assessing PCI compliance are required to use a PCI certified QSA or a ISA (sponsored by the merchant organization seeking compliance).

What is a QIR?

QIR stands for Qualified Integrators and Resellers. In other words, it is any company that has a professional with a QIR certification. A QIR verifies that your POS hardware and software is secure at each location where you take a payment. This became a requirement on January 31, 2017.

What is the Visa small merchant security validation requirement mandate?

In an effort to mitigate small merchant data breaches, and in addition to regular PCI compliance requirements, Visa requires that all level 4 merchants use only PCI­QIR certified professionals for POS application and terminal installation and integration. This became a requirement on January 31, 2017.

What is cardholder data and sensitive authentication data?

The PCI Security Standards Council (SSC) defines cardholder data as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service code

Sensitive Authentication Data includes full magnetic stripe data, CAV2, CVC2, CVV2.

What is an AOC?

Each merchant is required to complete and sign an annual Attestation of Compliance (AOC) document as part of their PCI compliance

How often do I need to validate PCI compliance?

PCI compliance is required on an annual running calendar year. For example, if you submit your PCI compliance in the month of June, you will need to resubmit PCI compliance in June of the following year. If changes are made to your network, it is best to revisit PCI compliance based on the new environment changes to ensure the security of the environment.

Do I have to use PCI compliant partners?

PCI SSC strongly suggests using PCI compliant third­ party partners. Failure to use PCI compliant partners adds additional risk and requirements to become PCI compliant, as well as potential fees and fines.

What should I do if I suspect my organization has been compromised?

If you suspect you have been compromised follow these steps:

  1. Do not access or remove, turn off or restart the compromised system. Isolate the system from the rest of the network.
  2. Disconnect all remote VPN connections into the network.
  3. Contact your acquirer as soon as possible to inform them of the potential compromise. Contact your PCI compliance provider as well.
  4. Do not destroy or tamper with potential evidence. Hold on to all data drives, systems and devices; do not dispose of anything that might be deemed evidence or part of a potential forensic investigation.