Every industry has its share of specific terms, acronyms and abbreviations. There’s certainly no shortage of them in the world of payments.
One that you’ve likely come across on a regular basis — and one of extreme importance to your business — is PCI-DSS.
PCI-DSS stands for Payment Card Industry Data Security Standard. It’s a set of requirements created to keep customer payment card data secure. All companies that process, store or transmit credit card information are required to comply with PCI-DSS.
So … Why Should a Merchant Comply with PCI-DSS?
In short, compliance brings many benefits to your business; non-compliance can bring many long-lasting, negative consequences.
Benefits of Compliance:
One major benefit is customer confidence and trust which translates into sales and customer loyalty.
Compliance with PCI-DSS certifies that your systems are secure. Knowing your systems are secure, consumers can trust you with their sensitive information and have confidence that their information is safe and protected.
Confident customers that trust you are more likely to do business with you again and become loyal, repeat shoppers. They’re also likely to recommend you to their friends.
Another key benefit of compliance: it improves your reputation with acquirers (banks and financial institutions that process credit and debit cards on your behalf). Compliance also improves your reputation with payment brands such as VISA and MasterCard.
Negative Consequences of Non-Compliance:
All it takes is one time. One data breach — no matter its size — can bring about devastating consequences to your business … damage to your business financially and irreparable damage to your business’ reputation.
You may also face fines and penalties associated with the data breach such as payment card issuer fines and damages that any party involved feels has been done to them.
How to Become PCI-Compliant
Becoming PCI-compliant can seem like a large undertaking but it can be relatively simple — especially with the assistance of your payment processing provider.
The first step is to review the actual Payment Card Industry Data Security Standard. We suggest you download the
PCI-DSS Quick Reference Guide v3.1. This guide is provided by the PCI Security Standards Council and includes easy-to-understand explanations and graphics on PCI-DSS. You may even want to print this guide and share it with your fellow co-workers.
Pay particular attention to page 9. This page includes the 12 steps that make up the PCI-DSS requirements and can be used as a checklist for assessing your IT assets and business processes.
Next, you’ll need to validate your assessment. The way to do this is by completing a Self-Assessment Questionnaire (SAQ). Your merchant environment — such as whether you’re a card not present/ecommerce merchant or you process payments through a standalone payment terminal — determines which questionnaire and set of requirements you must meet.
At Constellation Payments, in addition to setting up your merchant account, we’ll guide you through the entire process to make sure your PCI compliance certification experience is smooth and easy. We provide step-by-step instructions on how to register with a Qualified Security Assessor (QSA), such as Trustwave or Sysnet, and provide any assistance needed to complete the Self-Assessment Questionnaire with the respective vendor.
Once you have completed the questionnaire and confirmed all answers, you will be able to download a validation certificate which is good for one year. You must then send it to your merchant processor to have on file, and complete this process every year to stay compliant.
Who Needs to Complete a Vulnerability Scan?
Your merchant environment determines whether or not you’ll need to also complete a vulnerability scan.
Businesses that have external-facing IP (Internet Protocol) addresses that connect to their cardholder data are required to complete a quarterly vulnerability scan by an Approved Scanning Vendor. A vulnerability scan identifies security issues such as outdated versions of software, storing of any credit card data, or misconfigured networks.
If vulnerabilities are found, merchants are required to go through a remediation process to fix the vulnerabilities. See the page “Getting Started with PCI Data Security Standard” from the PCI Security Standards Council website for more remediation steps.
Bottom Line …
I mentioned the PCI Security Standards Council quite a few times in this article. But you should know they are not responsible for PCI compliance.
Merchants and processors must do their part to demonstrate compliance. That includes regular reporting. The Self-Assessment Questionnaire must be completed every year and submitted to the acquiring bank and payment processing partner, such as Constellation Payments, that you do business with.
Additionally, specific merchants must complete a quarterly vulnerability scan report.
While it does take some time and effort to become PCI-compliant, it’s well worth it to gain customer trust and confidence — and avoid the catastrophic consequences a data breach can bring. As the PCI Security Standards Council website so aptly states, “You’ve worked hard to build your business — make sure you secure your success by securing your customers’ payment card data.”
Angela Summa is the Vice President of Constellation Payments. She is responsible for business development, implementation, channel partner support, and merchant support. Her goal is to ensure businesses offer the highest level of payment processing security and ease of processing to customers. You can reach Angela by sending an email to firstname.lastname@example.org.
Subscribe to our Blog, How Payments Are Done!
Get continual educational guidance and strategies on important payment topics including: data protection, tokenization, EMV, and more.
Visit HowPaymentsAreDone.com, enter your email address into the ‘Subscribe to Our Blog’ box and we’ll send our best advice to your inbox.