PCI Compliance: It's Required, and It's Good for Your Business
INTRODUCTION As a merchant who accepts payment cards, you know better than anyone that the war against data fraud is ongoing and escalating. Whether they occur through hackers, identity thieves, phishers or other cyber criminals, security breaches can mean disaster for your business. Your customers trust you with their personal identifying information, and when that information is compromised, it can be a financial disaster for your business financial restitution will be paid and reputation will be damaged. PCI compliance is one of the most effective ways of minimizing your risk against card fraud. This set of standards, created by major companies in the payment card industry, is industry-mandated for businesses that accept and store customers personal information. Meeting this requirement puts your business in its best position to put up a first line of defense against cyber criminals it s good for your business. PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 2
TERMINOLOGY What is PCI compliance? PCI compliance means you have met Payment Card Industry Data Security Standard (PCI DSS) requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. When you are PCI compliant, you are taking a responsible role to make sure that payment card data remains secure throughout every transaction your business processes. This action helps to ensure that both your business and your customers are protected against the costs and disruption of a data breach. PCI compliance follows common sense steps that mirror best security practices. To be proactive, you need to understand a variety of acronyms and terms associated with it. PCI Lexicon Payment Card Industry (PCI) An umbrella term that applies to debit, credit, prepaid, e-purse, ATM and POS (point of sale) cards and associated businesses. Payment Card Industry Security Standards Council (PCI SSC) Founded by American Express, Discover Financial Services, JCB International, Mastercard Worldwide and Visa Inc. as an open global forum to promote the ongoing development, enhancement, storage, dissemination and implementation of PCI Data Security Standards for account data protection. Payment Card Industry Data Security Standard (PCI DSS) Lays out the technical and operational requirements set by the PCI SSC to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data, with guidance for software developers and manufacturers of applications and devices used in those transactions. PIN Transaction Security (PTS) Also known as PCI PTS (formerly PCI PED), PTS is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing-related activities. Manufacturers must follow the requirements in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. Payment Application Data Security Standard (PA-DSS) For software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. PCI Self-Assessment Questionnaire (SAQ) A validation tool intended to assist merchants and service providers who are not required to undergo an on-site data security assessment to self-evaluate their compliance with the PCI DSS. There are multiple versions of the PCI SAQ to meet various scenarios. PCI Scan A quarterly test of system components, processes and custom software to ensure security controls. PCI SSC Approved Scanning Vendor (ASV) An organization that validates adherence to certain DSS requirements by performing vulnerability scans of the Internet-facing environments of merchants and service providers. Qualified Security Assessor (QSA) A company that s approved by the PCI SSC to conduct an audit. PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 3
WHAT IS PCI COMPLIANCE? LEVELS OF COMPLIANCE The PCI Security Standards Council has created four basic levels of compliance. Your business s level depends on your transaction volume: YOUR LEVEL IS: YOUR BUSINESS DOES: YOU SHOULD: LEVEL 4 Less than 20,000 e-commerce transactions per year Less than 1 million other transactions per year Complete an annual risk assessment using an SAQ LEVEL 3 20,000-1 million transactions per year Complete an annual risk assessment using an SAQ LEVEL 2 1-6 million transactions per year Complete an annual risk assessment using an SAQ LEVEL 1 6 million+ transactions per year Conduct an annual internal audit RISKY BEHAVIOR Merchants like you are at the center of payment card transactions, meaning it s imperative that you use established and standardized security procedures and technologies to thwart theft of cardholder data. Vulnerabilities can be found almost anywhere in a merchant s card processing system, including point-of-sale devices, personal computers, mobile devices and apps, servers and wireless hotspots. THREE STEPS FOR REACHING PCI COMPLIANCE 1. Assess identifying cardholder data, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. 2. Remediate by correcting vulnerabilities and not storing cardholder data unless you need it. 3. Report by compiling and submitting required remediation validation records (if applicable) and compliance reports to the merchant services provider and card brands you do business with. PCI compliance is an ongoing process. Once you achieve compliance, you must continually strive to maintain it. Think of it in terms of three steps: PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 4
ASSESSING PCI COMPLIANCE The "Digital Dozen" Whenever you complete an internal audit, risk assessment or PCI scan, your business is being evaluated according to the 12 control objectives outlined in the PCI DSS: Network Security Install and maintain firewalls in your web applications to protect cardholder data Create original system passwords and other security parameters (do not use vendorsupplied defaults) Data Protection Protect stored cardholder data Encrypt all transmissions of cardholder data Vulnerability Management Access Control Restrict business access to cardholder data on a need to know basis Restrict physical access to cardholder data Assign a unique ID to each person who has computer access Monitoring and Testing Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Information Security Maintain a policy that addresses information security Develop and maintain secure systems and applications Regularly update the anti-virus software on all of your systems PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 5
MONITORING RISK & COMPLIANCE Data Breach Security from TSYS To help protect your business from the financial and reputational damage inflicted by a data breach, TSYS offers a data breach security program that s designed to help merchants meet the expenses resulting from a suspected or actual breach of payment card data. Features of our data breach security program include: Security is the foundation of reputable credit card processing. At TSYS, we take our responsibility to our merchants and their customers seriously. That s why we re committed to help keep you safe from the daily threat of data breach, credit card fraud and identity theft by working with you to achieve and maintain PCI compliance for your business. A forensic audit as required by the PCI DSS whenever a data breach is suspected to confirm whether a breach has actually occurred and to pinpoint vulnerabilities within the system. Industry fines and assessments met as required by PCI DSS in the event of an unintended breach of confidential customer information, regardless of how it happens. Issuer-related expenses that cover card replacements costs, credit monitoring and other expenses related to a breach. PCI COMPLIANCE: IT'S REQUIRED, AND IT'S GOOD FOR YOUR BUSINESS 6
To learn more: contact 888.845.9457 or visit tsys.com. twitter.com/tsys_tss facebook.com/tsys1 linkedin.com/company/tsys All trademarks contained herein are the sole and exclusive property of their respective owners. Any such use of those marks without the express written permission of their owner is prohibited. 2017 Total System Services, Inc. TSYS is a federally registered service mark of Total System Services, Inc. All rights reserved. TSYS Merchant Solutions is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA; Synovus Bank, Columbus, GA, and First National Bank of Omaha, Omaha, NE. TransFirst is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA; Synovus Bank, Columbus, GA; and Deutsche Bank, New York, NY; for Visa and Mastercard transactions only. TS6688f