PCI DSS compliance

Why do I need PCI DSS certification?

If you do not accept any credit cards for any reason, you do not need this service. If you process even one card, you are bound by PCI DSS rules, and non-compliance can put you out of business. Everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS). It consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment. For a small business this can be near impossible. Just understanding the forms can be like climbing Mount Everest and most small businesses resort to lying on the form so they can get on with life. Lying on the forms will just put you out of business in a breach of contract. It is too complicated is not an excuse. We are not a certifying authority, but rather an independent shop that understands PCI, and DSS. We can guide you through the process of  PCI DSS certification and we use a third party Certified PCI compliance company to finalize your certification. This way you know it’s done right the first time. Here is the PCI 12 – step program.Build and maintain a secure network If you don’t understand everything on this page, no worries, we have a certified PCI specialist who can keep you in compliance.

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.Protect cardholder data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.Maintain a vulnerability management program

5. Protect all systems against malware and regularly update anti-virus software or programs. (This includes IOT devices, mini pc’s like raspberry pi, Smart phones allowed on the network…)

6. Develop and maintain secure systems and applications.Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know.

8. Identify and authenticate access to system components.

9. Restrict physical access to cardholder data.Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel.

Compliance validation

Take the time to see that you’ve met all requirements of the PCI DSS. It’s the best way to confirm cardholder data is being safely handled and to expose any weaknesses that need to be addressed. Your total Visa transaction volume over a 12-month period determines your merchant level** and the necessary requirements for validation. You should try to exceed the requirements. The best security breach is the one that did not happen to you.

** Merchant level identification is based on the corporate entity’s total volume of Visa transactions (inclusive of credit, debit and prepaid) meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently-owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not processed by the corporate entity. Our clients tend to be level 3 and 4, but we will work with anyone, that truly wants to be compliant.

Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region – Level 1

Every year:

  • File a Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor (“ISA”) certification.
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).

1 to 6 million Visa transactions annually across all channels – Level 2

Every year:

  • Complete a Self-Assessment Questionnaire (“SAQ”).
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).

20,000 to 1 million Visa e-commerce transactions annually – Level 3

Every year:

  • Complete a Self-Assessment Questionnaire (“SAQ”).
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).

Merchants processing less than 20,000 Visa eCommerce transactions annually and all other merchants processing up to 1 million Visa transactions annually – Level 4

Every year:

  • Complete a Self-Assessment Questionnaire (“SAQ”).
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor

PCI Compliance can protect your business from financial assessments should you be compromised

Visa Core Rules (VCR) governs the activities of client financial institutions and, by extension, merchants and service providers as participants in the Visa payment system.

A merchant’s acquiring bank is responsible for ensuring the PCI Data Security Standard (DSS) compliance of the merchant and any service providers the merchant is using. As a merchant, you must maintain full compliance at all times. (VCR section ID #0002228 and #0008031).

If a merchant does not comply with the PCI DSS or fails to rectify a security issue, Visa may assess a non-compliance assessment to the merchant’s acquirer. The acquirer is responsible for paying all assessments and must not represent that Visa has imposed any assessment on the merchant. (VCR section ID #0001054)

Assessments may be waived if there is no evidence of PCI DSS non-compliance prior to, and at the time of a data breach, as demonstrated during a forensic investigation. 48 states have reporting laws for security breaches.

What to do in case of a suspected Credit Card Data Breach

Further study

https://usa.visa.com/support/small-business/security-compliance.html?ep=v_sym_cisp#3