Table of Contents
PCI compliance is a standard that regulates the security of credit card transactions. It’s a complicated process, but over time it has become easier to understand and implement as technology continues to progress. In 2021, PCI will undergo changes that might make your job even harder than before! The need for data protection and encryption increases in this new age of cybercrime, so you’ll want to be prepared with everything necessary.
The “pci compliance checklist” is a document that can be used to help companies meet PCI Compliance standards. The list is broken down into different sections, and each section has a corresponding number of questions.
PCI compliance refers to satisfying the Payment Card Industry Data Security Standard’s 12 criteria (PCI DSS). The PCI Security Standards Council is a non-profit organization created by major payment card firms such as Visa. To avoid penalties, fines, and even culpability in the event of a data breach, every firm that takes credit cards must be PCI compliant.
Annually, complete and submit a self-assessment questionnaire and attestation of compliance supplied by the PCI Security Standards Council, as well as internal and external vulnerability checks, to achieve PCI compliance.
The PCI DSS has 12 requirements:
- Keep your company gadgets safe behind a firewall.
- Passwords provided by vendors should be changed.
- Encrypt consumer data transfers
- Make sure your antivirus software is up to date.
- Consumer data should be kept safe.
- Access to customer data should be restricted.
- Keep your systems and applications safe.
- Only make cardholder info accessible to those who need it.
- Create a unique ID for each individual who has access to a corporate computer.
- Keep an eye on who has access to the network and who has access to customer information.
- Test data security on a regular basis.
- Keep a data security policy in place.
PCI compliance is required for who?
PCI DSS requirements must be followed by everyone engaged in payment processing, including merchants, service providers, payment processors, and payment gateways. Unfortunately, since many small and medium-sized companies (SMBs) do not know how to defend themselves, they are more exposed to data breaches than bigger, established firms.
Those 12 PCI DSS standards may be broken down into six key aims that small firms should adhere to in order to maintain PCI compliance:
- Keep your physical network safe.
- Customer information should be kept safe.
- Keep your internal network safe.
- Access to data should be limited to those who have a legitimate need to know.
- Data security systems are monitored and tested.
- Educate your employees on PCI compliance.
You’ll need firewalls for physical security, data security, improved technology (including a secure POS system), and the most up-to-date antivirus software to accomplish these goals.
How to Get Your Small Business PCI Compliant
Each year, you must submit the necessary self-assessment questionnaire (SAQ) and attestation of compliance (AoC), as well as a completed vulnerability check, to guarantee PCI compliance. The stages to PCI compliance are listed below in detail:
1. Figure out which PCI compliance level you fall under.
For organizations of all sizes, there are multiple levels of PCI compliance, each with its own set of criteria and recommendations. Although your merchant service provider or payment processor may offer some degree of PCI compliance, you must still take actions as a merchant. Determine which level applies to you first.
Level 4 PCI compliance will apply to the majority of small brick-and-mortar enterprises. Level 3 will very certainly include small web enterprises. There are a few more stages to establishing PCI compliance for online retailers, so be sure you understand what you’ll need.
2. Complete the Self-Assessment Questionnaire for PCI Compliance.
As part of the PCI compliance standards, all small to medium-sized businesses (Level 4) who take major credit cards must complete a SAQ. The chart is available on the official PCI DSS website, and you may use it to figure out which one applies to you. Consider the following scenario:
- You would fill out the SAQ-A if you operate an online company and utilize Shopify as your payment gateway and processor.
- The SAQ-C paperwork is required for a brick-and-mortar firm that employs a POS system and terminal, such as Lightspeed.
- SAQ-C-VT is necessary for manual input using a virtual terminal, such as when accepting phone orders or bills online.
This is merely one of the 16 pages required for the SAQ-A. (Image courtesy of the PCI Security Standards Council)
3. Examine the Payment Technology You’re Using
While cloud users may be more vulnerable (according to Verizon, more than 20% of cyber-attacks target online applications), the benefits of utilizing the cloud to operate your company far outweigh the dangers, particularly because there are actions you can take to protect data.
To begin, you should choose a PCI-compliant payment gateway. Look for the option to establish specialized user accounts and logins when evaluating the tools and systems you use to manage your small company. Consumer data should only be accessible to those who need it, and you should be able to monitor who sees what. Other useful security measures include two-factor authentication and point-to-point encryption (P2PE), particularly because stolen credentials account for 27% of cyber-attacks, according to the Verizon research.
It’s also critical to apply all of your vendor’s security patches and upgrades as soon as possible. Otherwise, you risk being vulnerable. Don’t forget to double-check your settings as well. Nearly 50% of organizations never modify the default settings of their vendors.
4. Defining and documenting security and compliance procedures
Nearly 60% of small company owners do not think they will be targeted by cyber thieves, and 43% of SMBs do not have a cybersecurity strategy in place. Although you may not have a full-fledged data privacy team to assist with security, whomever is in charge of guaranteeing PCI compliance should also establish protocols for the rest of the company to follow.
It’s critical to describe your new PCI compliance procedures, why they’re necessary, and how your whole team can help. Maintain a policy to ensure that all employees are aware of the necessity of PCI compliance and what they should and should not do with customer information. (For example, instead of writing down client payment information, input it straight into the processor.)
Make a security policy and governance plan to show how you’ll stay compliant in the future. As part of your data security governance, remember to check for physical tampering with POS systems and card readers—not it’s just software.
5. Submit your Compliance Attestation
The AoC is a document that you or a qualified security assessor (QSA) will use to certify your company’s level of compliance if you’re self-auditing. The form should be filled out, signed, and sent together with the SAQ and the scan results from the authorized scanning vendor (ASV), which we’ll go over later. Businesses are required to file an AoC on a yearly basis.
The majority of these PCI compliance criteria are addressed when a merchant employs a third-party payment processor. You must, however, be aware of the requirements and adhere to environmental PCI compliance, which includes firewalls, strong passwords, and limiting access to cardholder data.
6. Use a vulnerability scan to demonstrate PCI compliance.
You may have to pay for frequent vulnerability checks with an ASV, which is a third-party business that will do quarterly vulnerability assessments to certify your PCI compliance, depending on how you handle credit cards. The ASV will decide whether you’re taking all reasonable precautions to protect consumer credit card and contact information.
What Is a Vulnerability Scan and How Does It Work?
An authorised scanning vendor (ASV) conducts an external vulnerability scan to assess if your network is secure and safe for customers. Internal scans to discover vulnerabilities may also be performed by an ASV, however many merchants prefer to conduct it themselves using the proper self-assessment questionnaire (SAQ).
External scans check for flaws in your network firewalls, while internal scans hunt for weaknesses in your company’s firewalls. Both are required, however the inside scan may be done by yourself.
Each quarter, an ASV will give you a pass or fail grade, which you must submit to the PCI DSS council. If you make any modifications to your network, you’ll need to arrange a fresh scan since even slight changes may result in failure. For example, your internet service provider (ISP) may change your public-facing IP number while your ASV scans the previous one, resulting in “host not identified.”
7. PCI Compliance Documentation must be submitted.
Gather all of your documentation, including a completed SAQ tailored to your industry and confirmation of passing quarterly ASV external scans. You may transmit them to the PCI DSS council either electronically or through snail mail.
8. Keep tabs on your systems and put them through their paces.
Data security and PCI compliance aren’t something you can just turn on and forget about. It’s critical to test your security measures on a regular basis to guarantee they’re operating properly. Only around half of companies effectively test their data security measures, and only two-thirds properly track and monitor system access.
PCI Compliance and Its Importance
Not only are all businesses vulnerable to data breaches, but customers are becoming more conscious of what merchants can do to secure their personal information. This has an impact on their purchasing choices.
According to one survey, 61 percent of consumers have become more aware of data privacy in the past year, 42 percent believe businesses should disclose PCI compliance and data security practices to customers, and 39 percent would choose a competitor if a company did not respect their data privacy settings. Even worse, over 70% of people would avoid doing business with a firm following a data breach.
According to a recent research by PWC, 60% of customers anticipate a data breach from organizations that hold their personal information. And it’s understandable for them to feel that way. When it comes to data security, many businesses, especially small and medium-sized businesses, face significant hurdles.
Furthermore, many organizations are unsure whether they are PCI compliant. A cybercriminal may get valuable credit card data by exploiting known weaknesses in websites, firewalls, and unsecured remote access. Consider the recent Equifax data hack, which exposed over 182,000 credit card details. Credit card firms, banks, and small businesses all suffer as a result of such a breach.
What if I told you that
PCI compliance has been on the increase for quite some time. Despite large increases in the early part of the decade, compliance has subsequently fallen. According to the Verizon 2020 Payment Security Report, just around a quarter of organizations are completely PCI compliant, down about 9% from the previous year and 27.5 percent from 2016.
Costs of PCI Compliance
You may be charged a variety of fees to guarantee that your company is PCI compliant. These fees may be monthly or yearly, and they can cost anything from $10 to hundreds of dollars each year. It is dependent on the service, the payment processor you use, and how you intend to manage AoC and vulnerability scans.
Payment processors like Square and Shopify, for example, don’t usually charge an additional cost for PCI compliance. Instead, they include compliance costs in your monthly or transaction fees. A compliance charge may be added to a regular merchant account, or it may be wrapped into a statement fee. In its pay-as-you-go plan, Chase Merchant Services, for example, does not charge for PCI compliance.
When you require a vulnerability scan or wish to employ a QSA, you may expect to pay PCI compliance fees:
- ASV scans: Annual vulnerability scans of your corporate environment, such as firewalls, the internet, and so on, are normally priced at a rate of $200 to $1,000.
- QSA service: For PCI compliance, merchants with many locations may choose to employ a QSA; rates start at $10,000 and vary depending on the number of locations and network complexity.
PCI compliance costs are typical, since they go toward keeping data servers updated and maintained, as well as ensuring that all data protection is in place. Data transmission and storage are handled by your payment processor, payment gateway, or service provider, therefore it’s a vital and required cost, regardless of how it’s calculated.
Because PCI compliance is a collection of guidelines rather than a set of laws, it is governed by credit card companies. So, if you don’t comply, what’s the worst-case scenario? Consider the following options:
- PCI noncompliance fee: You’ll have to pay $19.95 (or more) per month until you can prove your business is PCI-compliant (although it appears to come from your payment processor, it actually comes from the credit card companies; some processors may charge more—make sure to fill out your SAQ and submit your paperwork to avoid this fee).
- A security breach happens, exposing customer data; your records reveal violation; you will be fined $5,000 to $100,000 each month of noncompliance.
- PCI noncompliance and revocation: Your acquiring bank suspends your ability to take credit cards, potentially putting your company out of business.
It’s worth noting that the average financial loss caused by cybercrime climbed from $1.4 million in 2018 to $13.0 million a year later. According to a recent security analysis, cybercrime will cost $945 billion globally in 2020.
If you have a data breach, you risk losing your customers’ confidence. According to a BrizFeel poll from 2021, three-quarters of online buyers prefer to purchase from major merchants because they feel they take security more seriously. Consumers are well aware of security risks and data breaches, with 79% of Americans concerned about their personal information.
Conclusion
It’s critical to take PCI compliance seriously and control it yourself. Don’t believe you’re off the hook simply because your payment processor is compliant. Follow the recommendations and keep an eye out for any updates on the official website. As data security improves, so do the PCI compliance standards.
You Might Also Enjoy…
PCI compliance is a set of standards that are used to ensure the safety and security of payment card information. In 2021, PCI compliance will change. Here’s everything you need to know about this new standard. Reference: pci compliance questions.
Related Tags
- pci compliance requirements
- pci compliance for merchants
- storing credit card information pci compliance
- level 4 pci compliance
- how to become pci compliant