PCI compliance guide for retailers

PCI compliance is a set of proprietary standards and payment security best practices issued on September 7, 2006, by the Security Standards Council including 5 members:

• MasterCard
• Visa
• American Express
• JCB International
• Discover Financial Services

These policies are designed to ensure that a customer’s credit card is safe and secure, with the goal of minimizing any potential breach of data by hackers or criminals throughout transaction processes. By being PCI compliant, you contribute to an international payment card data security measurement to maintain a secure environment for participating companies.

Doing business in retail means that fraud is probably happening somewhere, like someone using stolen credit cards to make purchases. Many retailers spend plenty of valuable time reviewing data from POS terminals to look for cardholder data breaches. When complying with the PCI SSC, you have an ongoing process that prevents theft of payment card data now and in the future. This leads to long-term benefits:

• Improve enterprise security and the efficiency of your IT infrastructure
• Improve your reputation with payment brands, acquirers, and purchasing partners
• Increase customer trust and repeat purchases

PCI DSS applies to ALL companies that accept, store or transmit any cardholder data, regardless of your transaction volume and business size. Here are some PCI compliance frequently asked questions:

Does PCI DSS still apply to my company if I only accept credit cards over the phone?

Yes. Remember that all businesses that accept card payment methods must comply with PCI DSS. Otherwise, in the event that your company’s data is breached and your customer information is vulnerable, you’ll be held liable.

Will PCI compliance apply to my company if we don’t store any credit card data?

If you accept debit or credit cards as payment methods, PCI compliance still applies to your company. It’s just easier to become compliant in case you don’t store card data. While you don’t store card data, you’ll still need to prove your status (not handle cardholder data) in a SAQ form. We’ll explain it in the next part.

Although PCI DSS isn’t part of any law, it’s a series of regulations used worldwide, which comes with specific costs and penalties for companies that fail to apply the requirements. For PCI compliance violations, payment brands can fine your acquiring bank $5,000–100,000/month at their discretion.

• Your bank will pass this fine to you in the end.
• In addition, the bank may either increase transaction fees or terminate its relationship with your business.

Those penalties aren’t widely publicized and discussed, but they can be disastrous for any business. Thus, you need to keep track of your risk exposure for such cases in your merchant account agreement.

Step 1. Understand 12 PCI compliance requirements

To achieve the PCI compliance certification, you need to comply with 12 requirements, which are spread across 6 broader objectives. Please note that they are general requirements for all merchants, regardless of business sizes and transaction volumes.

Step 2. Identify your business level of compliance

There are 4 levels of compliance depending on the volume of your annual transactions. By convention, merchants at level 4 handle the smallest number of annual transactions, and merchants at level 1 handle the largest number of annual transactions:

• Level 4: Under 20,000 transactions per year
• Level 3: 20,000 – 1 million transactions per year
• Level 2: 1 million – 6 million transactions per year
• Level 1: Over 6 million transactions per year

We’ll clarify different requirements for merchants of each level in step 3.

Step 3. Complete a Self-Assessment Questionnaire

The main difference lies in the requirements for the certification of each level. While the level 4 certification only requires a self-assessment, the level 1 certificate requires an audit handled by a Qualified Security Assessor (QSA).

If you are a Level 2, 3, or 4 merchant or service provider:

• You’ll need to complete a Self-Assessment Questionnaire (SAQ) to assess the security of cardholder data. It includes a set of YES/NO questions for the PCI-DSS requirements.
• After completing the SAQ, you need to fill out the Certificate of Compliance (AOC), which is a form that attests to the results of a PCI compliance assessment.

If you are a Level 1 merchant or service provider:

• You need an additional document called a Report of Compliance (ROC)
• At level 1, both the AOC and ROC need to be performed by a PCI QSA certified after a PCI compliance audit.

You can find templates of all current PCI DSS on the PCI Security Standards Council website.

At this step, you might find that your business fails some requirements. If so, you’ll have to make necessary changes and improvements to your cardholder data security environment. When it’s done, you can start taking the SAQ again.

After submitting all the document applications, you need to wait for the review process and prepare for the PCI DSS compliance cost. This cost varies by many factors, including:

• Environment structure and networking technologies
• Cardholder data and transaction volume
• Risk levels
• Number and types of systems
• Number and types of devices
• Number of staff members, processes, and departments
• Business type and levels
• Security culture

After having PCI certification, you need to take frequent PCI vulnerability scans for vulnerabilities and security threats in your application. PCI scanning protects you from some of the most common web application attacks, including:

• SQL Injections — an unauthorized insertion of a SQL query into your application and website. From there, attackers can read confidential data from the database, perform malicious operations, or modify the underlying data.
• Cross-site scripting (XSS) — the most common vulnerabilities in applications and websites, which allows attackers to execute scripts in a customer’s browser. It redirects your customers to a malicious website or carries out violation activities like stealing cookies.

The PCI compliance scan represents requirement 11 of the PCI DSS standard, which focuses on network and application security. According to the requirement, you must run scans at least every 90 days and need to hire PCI Approved Scan Providers, or Approved Scanning Vendors (ASVs) to conduct your PCI compliance scans. Based on the scan results, you can create reports for certification and submit this summary to your acquiring banks directly via your vendor’s scanner system.

• For failed scans, you need to immediately resolve all identified issues.
• Within these 90 days, whenever you change something in your sites and apps (fix previously detected issues, install new hardware, or update firewall), you’ll need to rerun the scan to ensure there isn’t any new security risk.
• If you do not conduct regular PCI scans, you will be fined and may be unable to to accept credit cards due to losing your merchant status.

Performing regular PCI compliance scans may require a lot of your business resources. However, it’s better than being attacked. Your company will lose its reputation and financial status, especially closing your business for legal issues.

You may find that getting certified and compliant with PCI requirements leads to many struggles. Many merchants complain it’s too hard and too expensive.

The good news is that you can get rid of this whole certification process and paperwork by choosing a PCI DSS-compliant payment provider. It means that your payment service provider processes the whole payment transaction, so you won’t touch the customer’s card details. In other words, they take care of your PCI compliance burden.

Thus, most store owners prefer to work with payment providers because they don’t have to deal with all the PCI issues.

Your payment service provider will charge you a fee in exchange for services that help you meet PCI compliance requirements, including data breach insurance and security scans. Fees will vary from provider to provider:

• The most common way is charging an annual fee of $99–199 in January or February.
• Some providers will require a small monthly fee.

In a nutshell, PCI DSS compliance applies to all merchants that accept card payment methods to protect the security and privacy of sensitive card data. Remember that PCI compliance doesn’t take into account the size of your business or the transaction volume.

The road to PCI compliance can be technically complicated, but it’s worth the long road if you want to protect your customer data and your own reputation, which ensures your business grows in the future. The most important thing is retailers can choose a payment provider with PCI compliance, so you don’t have to obtain the compliance certification yourself.