Just made your decision on starting an online business? Then, you need to find the best payment methods too!
Online purchases continue to progress drastically in number, so does the volume of credit card data stolen every year. At the end of 2018, Marriott International had experienced a massive data breach, in which the data of around 500 million customers got compromised.
In this context, how can you take the necessary measures to secure the credit card data of your customers? This is where Payment Card Industry Data Security Standard (PCI DSS) compliance comes into the picture!
But the major problem with PCI DSS for merchants is that it is an extremely technical subject; therefore, most of them barely understand anything when trying to get the details.
And the good news? Experts from Cybernetic Global Intelligence (CGI) is here to answer your burning questions on this topic!
What Is PCI Compliance?
The history of Payment processing security is relatively long…
In the early 2000s, online payments became more prevalent and consequently did information security breaches.
So, by the end of the year 2004, five major credit card brands – Visa Inc., MasterCard, Discovery Financial Services, American Express, and JCB International – collectively formulated the Payment Card Industry Data Security Standard (Version 1.0). Every trader dealing with payment processing were obliged to comply with this.
To oversee the prospect of PCI DSS, these firms further formed the Payment Card Industry Security Standards Council (PCI SSC).
Over the years, PCI DSS has undergone many revisions. And right now, we are on its Version 3.2.1. Today, this is a globally accepted payment security standard.
Who Needs To Comply?
PCI DSS applies to EVERY business that accepts, stores or transmits cardholder data. Based on the annual number of credit or debit card transactions made by the business, this is split into different merchant levels:
- PCI-DSS Level 1: For those who process over 6 million card transactions per year.
- PCI-DSS Level 2: For those who handle 1 to 6 million transactions per year.
- PCI-DSS Level 3: For those who manage 20,000 to 1 million transactions per year.
- PCI-DSS Level 4: For those who maintain fewer than 20,000 transactions per year.
Why Should I Care?
No matter what your business size is, these rules become applicable, if it takes credit cards as a mode of payment.
If you wish to sell online without being PCI compliant, get ready for potential security issues as well as monthly penalties that could even reach around $100,000!
And of course, the data breach could be disastrous, resulting in the loss of reputation of your brand. It may even lead to the decline of your right to accept payment cards. All these consequences may finally lead to going out of the business.
Is that what you wish to have..?!
How To Ensure If My Business Is PCI Compliant?
Mainly, all merchants should meet the below-mentioned PCI DSS requirements:
- Configure a firewall to protect cardholder data.
- Keep updated anti-virus programs.
- Use your payment gateway to store credit card information; do not store it either electronically or in any unsecured areas.
- Encrypt cardholder data while transmitting across public networks.
- Allot a unique ID to each person who accesses the computer.
- Stop using vendor-supplied default passwords.
- Don’t forget to monitor access to your network and cardholder data.
- Sustain a strict information security policy.
- Frequently test your security processes.
The PCI DSS SAQ & You
The Self-Assessment Questionnaires (SAQ) are tools that assist merchants report the outcomes of their PCI DSS compliance.
It depends on the total volume of payment card transactions carried out by your business annually and if they are conducted in-person or online.
Which SAQ Is Right For Me?
There are 9 SAQs a service provider can choose from:
- SAQ A: This is for e-commerce/mail/telephone-order merchants who have fully outsourced functions related to cardholder data. None of these data is stored or transmitted on the systems or premises of the merchant.
- SAQ A-EP: This is for merchants who own only e-commerce business, and uses a third-party service provider for handling their cardholder details; they possess a website that does not handle card data but could impact the security of payment transaction. No details of the cardholder data is stored, processed, or transmitted on the systems or premises of the merchant.
- SAQ B: This is for merchants who use imprint machines or standalone, dial-out terminals, and do not store, process, or transmit electronic cardholder data.
- SAQ B-IP: This is for merchants who use only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and do not hold electronic cardholder data storage.
- SAQ C-VT: This is for merchants who use a virtual terminal on a computer assigned entirely to card processing, but with no electronic cardholder data storage.
- SAQ C: This is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
- SAQ P2PE: This is for merchants who use approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
- SAQ D: This is for merchants who do not outsource their credit card processing or use a P2PE solution and store credit card data electronically.
- SAQ D: This is for all service providers who are considered eligible to complete an SAQ.
Ultimately, you should choose the SAQ that is appropriate for your processing environment.
Why Are SAQs Required?
SAQ is not merely a roadmap to compliance, but better security. Filling out a PCI DSS SAQ is the most reliable way to make sure you are not missing any cybersecurity requirements.
Need help?
Experts at Cybernetic Global Intelligence – a PCI QSA Cybersecurity Company, can make SAQ compliance and attestation process easier for you.
A great relief, don’t you think…?