If your ecommerce business accepts payments from credit or debit cards, you need to be compliant with PCI DSS (Payment Card Industry Data Security Standard). According to Verizon’s Payment Security Report 2020, only ‘27.9% of organizations achieved 100% compliance during their interim compliance validation’. Businesses that are not compliant put themselves at risk of data breaches, leading to a drastic loss of sales and reputation – and potentially, legal ramifications.
So, what is PCI compliance and what do you need to do to keep your ecommerce business within its guidelines? In this article, we’ll cover the meaning, levels and requirements of PCI compliance to help you understand the exact steps you need to take.
What is PCI compliance? Meaning and key terms
The PCI DSS is a set of requirements for businesses that use credit card information to ensure they process, store and transmit this information securely.
The requirements are regulated by the Payment Card Industry Security Standards Council (PCI SSC). The council was established by the five main credit card companies – MasterCard, Visa, American Express, JCB International, and Discover. Debit, credit or pre-paid cards from these five brands are all covered by PCI compliance.
The term Payment Card Industry (PCI) simply refers to these types of payment card and the associated business and industry around them.
What are the PCI compliance levels?
Businesses are assigned one of four PCI compliance levels, each with its own set of requirements. The level your company is assigned will vary depending on the amount of card payments you’ve received over a 12-month period. Here are the four PCI compliance levels:
- Level 4: For small businesses that process under 20,000 ecommerce transactions and up to 1 million card transactions on any payment channel in the year period.
- Level 3: These companies process 20,000 to 1 million ecommerce transactions in the year.
- Level 2: This level covers businesses that process 1 million to 6 million transactions per year, regardless of the card payment channel.
- Level 1: For the largest businesses, which process over 6 million card payments per year, regardless of the channel. In certain cases, other businesses that have had previous data breaches may be defined as level 1 to lower their risk to the card company.
The way that your company’s compliance is assessed will vary depending on your PCI compliance level. Levels 4-2 can opt to complete a self-assessment questionnaire (SAQ). Level 1 companies are required to have an audit by a Qualified Security Assessor or Internal Security Assessor. The auditor will then send a Report on Compliance (ROC) to your bank to establish your compliance. Level 2 businesses should also complete an ROC.
What PCI compliance requirements should my business follow?
Once you understand ‘what is PCI compliance’ and have an awareness of the PCI compliance levels, you should also learn the 12 key PCI compliance requirements.
1. Protect your system with a firewall
Firewalls use a set of specified security rules to block out malicious or unknown sources attempting to access your private business data. As they can prevent your customers’ details being compromised by viruses and hackers, firewalls are an important PCI requirement.
2. Configure custom passwords and security settings
Many third-party products, including routers and modems, will include default passwords and security measures, which are often easy for the public to gain access to.
Keep a record of all devices and programs that require a password or other forms of security protection. You should also ensure that you create unique usernames and passwords, rather than using the default options.
3. Record and encrypt stored cardholder data
One of the most vital PCI compliance requirements is to record all the cardholder data you store, along with its location and the duration you need to keep it for. Encrypt the data using industry-recognised algorithms, and then encrypt the encryption keys themselves. Businesses should check continuously that they are not storing unencrypted primary account numbers (PAN).
4. Encrypt cardholder data when transmitting
Your business will likely transmit cardholder data across open or public networks at certain times – for example, to payment processors. Encrypt all personal data sent through these networks, and do not send to any unfamiliar locations.
5. Update your anti-virus software
Anti-virus software needs to be continuously updated to the latest version to continue providing protection. Install anti-virus software on all computers, laptops, tablets or mobile devices that are used for the business, whether accessed remotely or in the office.
6. Keep software and systems updated
Your business needs to keep updating its software as the manufacturers release new updates and fixes. Install critical patches within a month of release to retain your compliance. Be particularly vigilant with any software used for card payments.
7. Restrict access to cardholder data
Your business should grant access to card data based on a need-to-know basis, known as role-based access control (RBAC). Record all employees who have access to the data, including details of their role and the level of access required for their duties.
8. Use unique passwords and IDs
Each employee accessing the data needs a unique password and ID, as opposed to group passwords. This strengthens security, as well as making it easier to hold users to account where breaches do occur. For those accessing remotely, multi-factor authentication is required.
9. Restrict physical access to data
Cardholder data, whether recorded digitally or on paper, needs to be kept in a physically secure location, where access is limited and monitored, for example, with security cameras. Each time data is accessed, record the details within a log.
10. Implement access logs
Activity relating to cardholder data and PAN must be logged. System event logs regarding actions taken on your computer systems should also be maintained and reviewed daily to look for anomalies. You can use log monitoring tools to help record, oversee and inspect your logs, as well as to alert you to suspicious activity.
11. Regularly scan and test your systems
Vulnerabilities in software and systems can lead to data being compromised. To remain compliant, you need to repeatedly perform vulnerability scans – automated scans that report potential vulnerabilities – and penetration tests, where analysts attempt to identify and exploit weaknesses in your systems.
12. Retain documentation and conduct risk assessments
Finally, ensure you have clear documentation regarding your business’ data security policy and practices. These should be reviewed yearly, and your employees should be aware of them. You should also perform annual risk assessments to identify vulnerabilities and make plans to prevent security from being compromised.
Need a hand with PCI compliance?
Now you’ve got to grips with what PCI compliance is, it’s time to get to work. Ultimately, the benefits of PCI compliance are clear – keeping customers’ card details safe not only builds consumer trust, but also prevents you from getting into legal trouble. However, managing your PCI compliance requirements manually can soon become expensive, confusing and time-consuming.
Not sure where to start? Fortunately, here at Bing Digital, we have vast experience with scanning sites for PCI compliance and pinpointing weaknesses in systems. So, you can focus on the day-to-day operations while we cross all the Ts to make sure your business is compliant.
Want to learn more? Get in touch with our specialist PCI compliance team today.