Updated: Jul 15, 2020
By John Alec Stouras
Because the use of online transactions is one of the ways businesses can gain cashflow during the pandemic, the use of credit cards for purchases has become more critical than ever. Now that we are inside more often than not, even with restrictions lifting, touching paper money may make most of your customers feel uneasy. Because of this, credit cards are crucial to any business now, especially because coins and paper money both can carry the coronavirus for longer periods of time. Don’t believe me, click here.
But, did you know if you collect and store credit card information, there are rules and regulations established by credit card companies and regulatory agencies that you must follow? You bet it. And it has a pretty funky name too.
What is the PCI DSS?
The PCI DSS is the Payment Card Industry Data Security Standard. It's enforced and created by the major credit card companies. Because of the proliferation of the Internet, the PCI DSS was designed to have businesses take reasonable steps to protect consumer credit card information. Do you not know if you collect or store credit card information? Do you use a recurring billing system through your business? If so, then you likely do.
Some small businesses do not overtly deal with PCI DSS because they use a third-party billing system and do not interact with credit card information directly. However, they still have self-assessment procedures and requirements to meet through the PCI Security Standards Council, which is one of the advisory bodies of the PCI DSS (click here).
To make it a little clearer we will discuss the merchant levels, which determine what validation requirement steps you must take.
What are the Merchant Levels?
Your validation method is directly tied to your merchant level. These are the Merchant Levels for Visa, and they change per institution. Validation is the method of complying with PCI DSS. You can see that when the bar for validation gets lower, the higher the number your level is. This is because there are fewer transactions, and therefore a lesser risk of a broad cyber-attack. As for the definition of "transactions," they are explicitly talking about e-commerce transactions and phone orders, not paper money transactions.
Level 1 Definition: Anyone processing more than 6 million transactions per year. Any merchant has had a data breach or attack that resulted in a compromise.
Level 1 Validation: Must have an on-site assessment by a Qualified Security Assessor (QSA), a network scan quarterly by an Approved Scan Vendor (ASV), and an attestation of compliance form.
Level 2 Definition: A million to six million transactions per year.
Level 2 Validation: Complete a Self-Assessment Questionnaire, network scan by ASV, attestation of compliance form completed.
Level 3 Definition: 20 thousand to one million transactions per year.
Level 3 Validation: Complete a Self-Assessment Questionnaire, a quarterly scan by ASV, attestation of compliance form.
Level 4 Definition: less than 20 thousand transactions per year.
Level 4 Validation: Complete a Self-Assessment Questionnaire, a quarterly scan by ASV, Attestation of compliance form.
If you are a small to mid-sized business, you likely fall in the Level 4 category. Now, let’s look at the goals of compliance and what steps they require you to take.
What are the Goals of Compliance, and What Steps Do I have to Take?
The Goals of PCI DSS compliance are fivefold: 1) to protect consumer and cardholder data 2) to have substantial control measures 3) to regulate and test networks that have this data 4) maintain security policy, and 5) have secure systems. Because of this, the PCI DSS has specific requirement steps that mirror security best practices. The PCI Security Standards Council lays them out in 12 points below. However, I'll expand upon each one a little bit to give you a bit of an idea. For the PCI Security Standards Council, they offer a quick reference guide here.
1. Install and maintain a firewall configuration to protect cardholder data.
Installing and maintaining a firewall for your network is, in reality, already in place. Firewall functions are already assumedly in place through your business's internal network, so likely this prong takes care of itself. If so, then make sure your firewall is upon both your computer configurations and your network settings. Depending on what companies’ products you are using, those can be in different places, so make sure you check your manuals. If you are like me and get rid of manuals, you likely can upload one for your specific product online.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
This one means that you need to change your network password and your computer password to make sure you do not have an easily guessable password and username combination. If any of your systems have dual-factor authentication methods, putting those in place will increase your overall security. Dual factor authentication is that type of policy that usually requires you to have another device like your phone to authorize access after you put in your username and password.
Want to create a strong password? The traditional advice is to have it be 10+ characters, including all of the types of characters (upper- and lower-case letters, symbols, Arabic numerals), and are not common words often combined.
3. Protect stored cardholder data.
This is a general principle that the PCI Security Standards and should generally be a policy for your small business. The first way to protect stored cardholder data is not to save it if you are not using it. Further, continue to reassess necessary stored information periodically in your business, as unnecessary stored information means more information that could be taken. Also, make sure you have file encryption software to encrypt your cardholder data files.
It is also essential to keep your keys to encrypted files in a safe and secure place. To have your files encrypted and your keys insecure is like having your door locked, but your key is under the mat. It is great to have your door locked, but not if the key is easily accessible. This means you need to have essential management procedures in place and limit access to encrypted keys on a need-to-know basis as well.
4. Encrypt transmission of cardholder data across open, public networks
If you need to move cardholder data, make sure you try to do it over secure networks. If that isn't possible for any reason, encryption is almost essential to make sure no one hijacks cardholder data in transit. Open, public networks are notorious for cybercriminal squatters. As a matter of policy, never allow company computers to be opened on public open networks. Further, make sure to encrypt your cardholder data before it is transferred. Also, remember to share the key with the person you are giving the data too, so they can access it.
5. Protect systems against malware and regularly update antivirus software or programs.
If you do not have an antivirus and malware software already, load one up now! Often, your Internet provider for your business offers a package with a complimentary antivirus software free trial. If your provider does not give you one automatically, look online for antivirus software now. They protect you usually from more than just your regular antivirus attacks.
6. Develop and maintain secure systems and applications.
This requirement is pretty vague and will likely require a coder and cybersecurity professionals. Or, if you have a coder already for your small business, you probably are fine! The reason is that they ask you to do standard patching of your system for vulnerabilities and as well as fixing common code vulnerabilities. The part you can do is do a risk self-assessment of your network using the PCI DSS self-assessment form.
7. Restrict access to cardholder data to business need-to-know.
8. Identify and authentic access to system components.
This one discusses more having user authentication methods in place when people attempt to access sensitive data. Further, keep a log of employee time and access to sensitive consumer data.
9. Restrict physical access routes to cardholder data.
The physical access route to cardholder data is more about the actual system when users swipe or input their cardholder information. Think more about the tape stripes that protect gas station card readers. Keeping card readers secure is extremely important to card security.
10. Track and monitor all access to network and cardholder data areas.
Here, the PCI's counsel is mostly talking about system logs. A system activity logs stores time, actions, and user interactions within a network. Tracking who can walk in and access the network that contains sensitive cardholder data is a must. And as seen here, it is required for PCI – DSS compliance.
11. Regularly test security systems, processes, and networks.
This requirement mostly talks about doing vulnerability scans and penetration testing on your network. For reference, a penetration test (frequently called "pen test") is essentially a cybersecurity simulated hack. It evaluates the security systems of a network, server, and computer. If you do run a more significant business, you will likely need to be doing this more regularly and having a cybersecurity professional or IT team dedicating serious time to it. Further, the PCI has an Approved list of Scanning Vendors (ASV) to give you options in selecting help for protecting your network. For the list of ASV entities, click here.
12. Maintain a security policy that addresses information security for all personnel.
I was a policy wonk to consider this requirement the most interesting one. This one makes sure you have a firm security policy to ensure that consumer credit card data is taken seriously. They recommend you to set specific security responsibilities for members, screen new personnel, implement procedures for safe sharing and other types of security measures. Overall, having a written document that outlines personnel and systems is what they are looking for here, with the primary goal of keeping sensitive customer data safe and credit card information secure.
Logistically, the process can be broken down into a few steps. Find out what types of things you need to do because of your merchant level and other considerations. Assess your compliance and complete the SAQ or ROC, including documentation. Remember to complete the Attestation of Compliance for your business. Then, all you need to do is submit. If they require an updated report, they will contact you.
Can Anyone Help Me?
Before you worry about if you have to comply with every rule in a very profound way, there is a PCI DSS: Self-assessment tool on the PCI Security Council website that can help precisely with what you have to comply with involving your business. The self-assessment tool can be found here. If your organization is eligible, this may count as a validation tool instead of having to submit a Report on Compliance to PCI DSS.
Further, PCI DSS has approved assessors who can evaluate your compliance with the security standards. Lastly, if you have any specific questions about PCI DSS, your financial institution can answer them because the various card brands have compliance teams to assist you.
Now that you have a better idea of what PCI DSS is, you will have an easier time tackling the issue and finding help in the right places. As a default, contact your card brand for more information on PCI DSS requirements and transactions. They, too, want to make sure your business complies as their cards are the ones being used. If you have further questions, the PCI Compliance FAQ is a great place to start to answer questions for small to mid-sized businesses. Click here.
--- Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy. Learn more at thelucyreport.com
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact firstname.lastname@example.org.