Top 10 facts about PCI DSS Compliance that you need to know
26 Sep 2017
26 Sep 2017
What do you need to prove you can handle card payments securely - a black belt, a Michelin star, or maybe even the Nobel prize for security? The correct answer is PCI DSS. But what does this security standard really mean?
Taking card payments can be a risky business for merchants, whether transactions take place via the web, using mobile apps or over the phone with contact center agents.
CNP crime cost the US $5.2 billion in 2016 and is estimated to double that to reach $6.4 billion by 2021, according to the Statista.com.
The industry is hitting back - and PCI DSS is one of its most powerful weapons. But the mention of PCI DSS often prompts a series of questions. So let's answer them, one by one.
Question #1: What is PCI DSS?
A: PCI DSS (the Payment Card Industry Data Security Standard) is a security standard for organizations to follow if they store, transmit or process cardholder data (CHD) and/or sensitive authentication data (SAD). PCI DSS is intended to protect sensitive cardholder data and prevent fraud. The standard is managed by the Payment Card Industry Security Standards Council, which includes American Express, MasterCard, Visa Inc and other card providers.
Question # 2: What are the penalties for non-compliance?
A: Non-compliance often comes to light when there's a data breach. Payment brands can issue fines that can run into hundreds of thousands of dollars. Companies may also face increased transaction fees or even be prevented from accepting payments by card. They may also have to pay for a forensic investigation into the causes of any compromise. A breach can also be followed by bad publicity, a damaged reputation, costly compensation to customers and lost business.
Question #3: What are PCI DSS compliance levels?
A: Merchants and payment service providers fit into different compliance levels, depending on the number of credit card transactions they handle. Level One is for those processing over six million transactions per year. Level Four applies to merchant processing fewer than 20,000 e-commerce transactions and all other merchants processing up to 1 million transactions per year- regardless of the acceptance channel (not just e-commerce).
Question #4. How do organizations satisfy PCI DSS requirements?
A: All organizations need to complete an Attestation of Compliance (AOC) form and have a quarterly network scan by an Approved Scanning Vendor (ASV). In addition, Level One organizations must have an annual on-site assessment - called a Report on Compliance (ROC) - completed by an independent Qualified Security Assessor (QSA). All others must submit an annual Self-Assessment Questionnaire (SAQ).
Question #5: If our software is PA-DSS certified, does that mean we're compliant already?
A: Any Payment Application - Data Security Standard (PA-DSS) certified software may help you with security and compliance, but it will never absolve you from your overall PCI DSS responsibility. The rest of your contact center environment needs to be compliant. Only software applications or products are included in the PA-DSS list - it doesn't include services.
Question #6: What is the PCI DSS Attestation of Compliance?
A: The Attestation is a statement signed by an officer of your company - usually the Chief Financial Officer or Head of Compliance. It certifies that all relevant PCI requirements have been met by your organization. There are different versions of the Attestation, depending on the scope of your business.
Question #7: Can we complete our own Self-Assessment Questionnaire (SAQ)?
A: Level One merchants and Service Providers need an assessment by an independent QSA to validate their compliance. Other organizations complete the correct SAQ version for their business - and can do this themselves. There are different SAQs for different types of organizations, ranging from companies with payment application systems to those who outsource all their cardholder data-related activities to a PCI DSS payment service provider. Those who outsource may only need to complete a simple two-page SAQ.
Question #8: How can I find a QSA?
A: Qualified Security Assessor companies have been approved by the PCI Security Standards Council to validate an organization's compliance with PCI DSS. The Council manages a searchable database of companies and assessors.
Question #9: As a Level One merchant, how can we make PCI DSS compliance simpler?
A: If you are currently capturing, storing, processing or transmitting card data, then the burden of applying levels of security to meet PCI DSS standards will weigh heavily on you. Achieving compliance yourself can be demanding, complex and costly -distracting you from your core business. The most pragmatic and secure approach is to outsource activities to a trusted payment Service Provider. With the right solutions you can prevent any card data from entering your contact center and systems - removing your environment from the scope of PCI DSS.
Question #10: Does outsourcing mean we can forget about PCI DSS completely?
A: Not completely. The quarterly network scan and annual Attestation of Compliance still needs to take place. Also, even though a payment service provider will be looking after transactions on your behalf, your company is still ultimately responsible for data security. That's why choosing a provider with the right experience and credentials is essential.
Delve deeper by getting your free copy of our ebook The Definitive Guide to PCI DSS compliance. It's everything you wanted to know about PCI DSS compliance and secure payments but were too afraid to ask.