With Boxing Day now in our rear-view mirrors, it’s a good time to chat about online security. Are you the owner of an E-Commerce site? Does your company, in any way, accept payments through credit cards? If so, we hope you had a fantastic run up to Christmas and an equally terrific Boxing Day blowout.
If you’re already doing business on the web, you’re probably aware of Payment Card Industry Compliance (also known as PCI Compliance.) Whether you like it or not, it’s here to stay. And whatever you do, you’re going to want to understand the rules and if you achieve PCI Compliance, then make sure to tell the world how hard it is to achieve and how your organization is fully compliant. If not, you’re going to miss out on all that future online E-Commerce traffic that ought to come your way.
First off, here is a simple breakdown of the “whats” and “hows” of achieving PCI Compliance to get you started on your research:
1. How It All Began: A Quick Historical Overview
The PCI DSS (Payment Card Industry Data Security Standard) was developed by the PCI SSC (Payment Card Industry Security Standards Council) to create an industry standard for protection regulations for organizations that handle cardholder information. It was created to protect against credit card fraud. And ultimately to protect your customers and give them a safe shopping environment.
Before the PCI SSC came into place, card brands had individual data protection regulations that merchants complied to. Merchants found this system unsatisfactory and demanded that an industry standard for security regulations be set for all card brands. And thus, the PCI SSC was born.
2. Who is Subject to the Standard
The PCI DSS has no exceptions: if you accept payment cards, provide services directly related to credit card transactions, or can impact the security of transactions, you must comply with the standard. It doesn’t matter how many transactions you have, or how you get the credit card information. The bottom line is, if you’re dealing with credit cards in any shape or form, you are subject to the standard.
3. The Four Levels of Merchant Levels
Although the DSS requirements between levels remain the same, there are different merchant levels for validating your compliance. These levels are based on one particular card (for example, if you have 400 000 Visa Transactions and 700 000 Mastercard Transactions, they would not be added together for a total sum of transactions; the levels are measured on a per card brand basis.) All these levels are based on the amount of transactions processed in a calendar year.
Level 1: Over 6 million transactions
Level 2: 1 to 6 million transactions
Level 3 and 4: Under 1 million transactions.
The first two levels must be validated via QSA assessment, which is an independent validation of controls. Levels 3 and 4 may be validated through a self-assessment questionnaire. However, the requirements are exactly the same and are subject to the exact same standard.
4. There Are Consequences for Not Being PCI Compliant
If you do not comply to the PCI standard, there will be consequences. It can range from small fines to a debt penalty, and increase in severity. If you lose credit card data, you are guaranteed some sort of fine such as the cost of replacing credit cards for people whose data you lost. In the case that you have a massive non-compliance issue, the card brands can remove/ stop allowing you from taking credit cards, which can be a huge loss to your business. However, the debt penalty has never been handed out, and the council is more concerned on helping you become PCI compliant. They may even put you on a schedule to achieve PCI compliance.
So how do you achieve PCI compliance? Stay tuned for the next post!