PCI (Payment Card Industry Data Security Standard) is a complex topic, and compliance can be tricky to achieve.
Anyone who is looking to take payments online will no doubt have received some information on PCI from their bank, along with the threat of penalties if compliance is not sorted within a certain timeframe. All too often this results in confusion and mild panic, and so when a client appears on our doorstep waiving a PCI compliance leaflet that they have received from their bank, we’re always happy to talk them through what needs to be done.
Essentially PCI is a standard designed to protect end users from fraud. It was put in place by the Payment Card Industry Security Standards Council, an independent council put together by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International.
Through a series of guidelines and checks, it verifies that you are treating end user credit card details in a sufficiently secure manner. It is broadly split into the following categories:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Do I Actually Need It?
As a rule of thumb, if you take customer credit card details on your own site, then you need to be PCI compliant. If you send users to another website to enter their credit card details (for example Paypal), then you don’t need to worry about PCI compliance, as the onus is on the provider of your payment system to be compliant.
There are a number of different levels of PCI compliance, and some are easier to achieve than others. The level of compliance that you need to attain depends on a) how many credit card payments you take annually and b) what you do with user’s credit card details. The various levels and, to give you a flavour, Visa’s requirements have been outlined below:
- PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
- PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
- PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
- PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
How Do I Become PCI Compliant?
Becoming PCI compliant can be a fairly straight forward task or can prove to be a lengthy, complex process. It really depends on the number of transactions that you are processing and how you deal with credit card details.
If you fall into the Level 4 bracket, you will need a high grade certificate for your website, your server will need to pass a number of security checks and you will need to fill in a self certified questionnaire.
You will probably need a dedicated server, as the requirements in order to pass the security scan can be quite detailed and a lot of the time you need access to the server as an administrator in order to make the changes.
As you move up the levels, becoming PCI compliant becomes harder and harder to achieve, with the upper levels requiring an in depth, in-person, security review by a qualified PCI consultant.
Either way, it is probably wise to employ someone who can steer you through the red tape and the security scans.
To Conclude
A lot of online businesses out there are still not PCI compliant, despite them taking part in activities that require them to be. To date the merchant account providers have been fairly relaxed about the whole thing, however recently they have tightened things up with deadlines and the threat of penalties for non-compliance.
It is something that you should seriously look at if you are taking payments online, as it will protect both your and your customers.
Image kindly supplied by aaronparecki on Flickr under a Creative Commons licence!
