PCI Compliance Overview
PCI compliance refers to meeting and adhering to the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies — Visa®, MasterCard®, Discover®, American Express® and JCB International®. PCI DSS lays out for all merchants who process, store or transmit credit, debit or prepaid card information the steps to take to maintain a secure transaction environment.
As a leader in secure electronic payments, TransFirst® supports and promotes PCI compliance with a program that provides a number of services that help merchants become and remain compliant, even as PCI DSS requirements change.
PCI Compliance Program Components
The TransFirst PCI Compliance Program consists of several important and comprehensive components:
- Our online Self-Assessment Questionnaire (SAQ) is an intuitive and easy-to-use tool with picture-driven qualification steps that helps merchants easily determine their Validation Type. It is supplemented with expert help text and real-life examples.
- External scanning detects network vulnerability for merchants with external-facing IP addresses and finds holes in web-based applications. TransFirst then issues easy-to-understand reports detailing the results and prioritizing vulnerabilities while offering hands-on assistance for remediation.
- A set of custom security policies, powered by the Unified Compliance Framework (UCF), and policy templates that are automatically generated based on how merchants process payment cards provide an individualized approach to compliance.
- On-demand security awareness training prepares merchants to handle sensitive information, satisfies PCI DSS requirements and eliminates the need to purchase a costly training program from a third-party provider.
Protection for Merchants and Customers
It’s important to understand that while PCI compliance is an important protection for both merchants and cardholders, there is no law requiring it. However, PCI compliance is a contractual obligation between merchants and the major card brands.
Although the PCI Security Standards Council does not impose consequences for non-compliance with PCI DSS, the individual payment brands can and do impose fines and/or operational sanctions that could be disastrous for your bottom line and your reputation with acquirers, payment brands and customers. Additionally, several states already have PCI compliance laws on their books, and more are expected to follow.
PCI compliance is not an expensive proposition or one that requires a great deal of effort on the part of the merchant; it is a great investment in security and peace of mind. TransFirst stands ready to instruct and support our merchants in that investment. Knowing what PCI compliance is and how to achieve it is vital to the future of your business on a number of different levels, so we provide in depth information on our exclusive Compliance101.com website.
PCI Compliance Basics
On the surface, mandatory PCI compliance may seem complicated, even burdensome or intrusive on the way you run your business. But think of it this way: PCI compliance equates with security for both you and your customers. Isn’t a little effort and diligence on your part a small price to pay for peace of mind when your livelihood is at stake?
At TransFirst, we understand the ins and outs of PCI security compliance and are ready to help with services to ensure that your credit card processing meets all the established criteria.
The comprehensive operational and technical requirements laid out in the PCI DSS establish consistent measures for data security management, policies and procedures, network architecture and software design. Businesses and small merchants are required to process, store and transmit cardholder data (cardholder name, account number, service code and expiration date) as well as sensitive authentication data (magnetic stripe or chip data, CVV code and PINs) in compliance with these requirements so that it is kept private and secure.
Since online transaction and credit card fraud continue to be major threats to businesses, PCI compliance is crucial. That’s why it’s required of all entities with a Merchant ID (MID), from the largest big-box stores to the smallest mom-and-pop shops and everything in between. Additionally, all “players” in the credit card payment chain must be PCI compliant, including payment service providers like TransFirst, banks and hosting providers.
It’s important to realize that PCI compliance is an ongoing process, not a one-time event in your business life. Consider it a series of common sense, “best practices” steps that all merchants should follow as part of their security strategy. The three steps for adhering to the PCI DSS as outlined by the PCI SSC are:
- Assess by identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate by fixing vulnerabilities and not storing cardholder data unless you need it.
- Report by compiling and submitting required remediation validation records (if applicable) and submitting compliance reports to the acquiring bank and card brands with which you do business.
PCI Compliance Requirements
Check with your payment brand or merchant account provider for the exact PCI security compliance requirements for your company or business. TransFirst provides information about PCI compliance requirements in general only.
Understanding the basis for PCI DSS will go a long way towards dispelling any concerns you may have about the process. Fundamentally, PCI DSS establishes six basic principles:
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data
- Protect cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain an Information Security Policy
- Establish and maintain a policy to address information security.
Four Levels of PCI Compliance
There are four levels of PCI compliance; your level is determined by the number of electronic transactions you process each year.
Small businesses — those processing less than 20,000 e-commerce transactions and less than 1 million other transactions annually — fall into this category. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).
Mid-sized companies generating between 20,000 and 1 million transactions annually require an annual risk assessment using the appropriate SAQ.
Companies at this level handle between 1 million and 6 million transactions annually. A PCI SAQ must be completed each year.
Big-box stores and other major corporations with a minimum of 6 million transactions per year must conduct an annual internal audit with a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required for businesses at all four levels.
Whatever your level, TransFirst’s Transaction Express® can reduce your PCI burden and help you achieve and maintain compliance by enabling you to easily accept payments with maximum security. This web-based payment gateway’s secure processing platform is fully PCI compliant and ideally suited for merchants of all sizes.
Transaction Express’s features and services are designed to meet your unique needs and expectations. For example, through its tokenization service, Transaction Express’s hosted payment page eliminates the need to store card data altogether by sending back only minimal information such as transaction and reference IDs and an authorization code.
PCI Compliance Means Security
By fully complying with PCI DSS, you significantly decrease your risk of electronic data fraud that could seriously jeopardize or damage your business brand, reputation and finances. Just one data breach can cause a cascade of lost sales, cancelled accounts, destruction of business and community relationships, high-stakes lawsuits, insurance claims, and expensive fines and sanctions by individual payment brands.
As a merchant, you know that doing business is based on trust between you and your customers. Consumers who believe their sensitive credit or debit card information is safe with you are more likely to return and to refer other business your way. PCI compliance helps establish that important level of trust and feeling of security.
Final Thoughts on PCI Compliance
Compromised electronic data negatively affects everyone involved: merchants, consumers, service providers and financial institutions. By achieving PCI compliance, you’re taking responsibility for keeping the data entrusted to you safe from fraudsters and thieves.
The protective measures outlined in PCI DSS are an investment in the global battle against electronic fraud. PCI compliance ensures safeguarded payment card data with every transaction. Isn’t that what you and your customers expect and deserve?
When you’re ready to achieve and maintain PCI compliance, TransFirst can help. Complete the form above and one of our representatives will answer your questions and set you on the path to PCI compliance.