This blog is the first of a 4 part series on PCI Compliance and PCI DSS for credit card accepting merchants. The blogs focus is on the compliance requirements and unique risks for level 3 and level 4 merchants – both B2B and retail, as defined by the PCI DSC.
Level 3 Merchant - Merchants processing 20,000 to 1 million VISA or MC e-commerce transactions annually.
Level 4 Merchant - Merchants processing less than 20,000 VISA or MC e-commerce transactions annually and all other merchant's processing up to 1 million VISA transactions annually
What is PCI Compliance?
PCI Compliance (Payment Card Industry) is the term coined by the PCI SSC or Payment Card Industry Security Standards Council when it was formed in 2006 by the top card brands in credit card processing. At present the council is comprised of VISA, MasterCard, American Express, Discover and JCB International. Compliance means the security and protection of all cardholder data, by any entity that accepts, processes or stores it. The cardholder data environment must also be secure to the standards defined by the council. It is an arduous task for any merchant in today's culture of cybersecurity.
This sensitive data is the credit card holders name, credit card number or PAN (Primary Account Number), CVV code and expiration date. In the late 70’s and early 80’s when I was in college working as a waitress, restaurants/and merchants had a book with a list of fraudulent or stolen/invalid cards. We were supposed to check the book with every transaction before running it through the credit card imprinter. Authorization was obtained via a phone call. I’m not kidding. Still, with no widespread personal computer use, and certainly no internet connectivity, the risks were small and merchants accepted and swallowed the occasional loss as a matter of business.
Fast forward to development of the internet and ecommerce that created new ways for merchants to sell goods and services and unfortunately, new ways for thieves to steal the sensitive credit card payment data used in these transactions, for fraudulent use or sale – en masse. In addition to all this, there is a growing need for increased security for brick-and-mortar/merchants as threats to POS systems, from both inside and outside vulnerabilities increase. As a result, the PCI SSC created a uniform approach to secure cardholder data and rein in fraud. Check out this cool SearchSecurity timeline infographic on the development of PCI Compliance below –
The basics of PCI Compliance (grounded in common sense security) and merchant level classifications have changed little since we rattled them off in our 2011 blog titled PCI. Still, NASI (North American Systems Int'l) created a simple matrix demonstrating the 12 core principles of PCI DSS here– we wish we could be so graphically inclined!
The principles outlined in the matrix are just the beginning of PCI DSS given the advent of on and off site servers, remote access, ERP and proprietary third party software, and countless hardware configurations that can be incorporated and interconnected, by any single business. In addition, a merchant cannot overlook the risk imposed by employees. It is easy to see that a credit card processing merchant using any combination of these myriad components that touch or access card holder data is markedly vulnerable to security breach. The current version of standards PCI DSS 3.1 will be retired on October 31, 2016 and the new, 139 page version PCI DSS 3.2, will be effective (required) on November 1, 2016.
PCI DSS are not a matter of federal law – see our blog PCI Data Security Standards and the Law. Still as we noted in the blog – individual states are taking matters into their own hands, some indeed requiring PCI DSS by law – and holding non-compliant merchants of any level financially responsible for a breach of cardholder data. Make sure you understand your responsibility in your state of incorporation.
It’s interesting to note that ramifications or penalties of non-compliance with PCI DSS resulting in a breach are determined by the individual payment brands and not by the Council. History dictates most fines directed at Level 1 and 2 merchants. Still, level 3 and 4 merchants can be penalized with card brand mandated stringent and expensive PCI compliance obligations (reclassification to a level 1 merchant) or worse, lose merchant status altogether and the privilege to process. A commerce killer.
We hear about large breaches – Yahoo is in the news just today, although they claim payment data was not compromised - but what about level 4 merchants? How much could possibly be at risk?
A lot. . Breaches cost reputations, money – and bankruptcy.
A 2016 Green Sheet article “Visa says Level 4 merchants must use PCI-accredited QIRs” asserts that 95% of breaches investigated by Visa in 2015 involved small and mid-size businesses, and 400 breaches investigated by the Secret Service in 2014 showed POS vulnerabilities, including “ improper payment platform set up and system maintenance”. The article also claims that 60% of small businesses that are hacked, "go out of business”. As a result of these statistics, Visa will be ratcheting up security requirements for the level 4 merchant, with an implementation goal of 2017. Just when we were getting over the pain of EMV chip card requirements (are we?)...
Stay tuned for the rest of the series – we’ll discuss SAQ’s, QIR’s, ASV’s and vulnerability scans, PCI scope, penetration testing, multi-factor authentication, the death of SSL, encryption, tokenization and all the rest.
In the meantime – what can you expect from your merchant account provider or Acquirer? At a minimum – alerts as to changes in PCI DSS including POS criterion, clarification as to your merchant level, assists in SAQ completion, and automated scans. You are undoubtedly paying a monthly fee called PCI Compliance for this service. Merchants who don’t avail themselves of the service or requirement are typically charged larger fees for non-compliance. Check, no read, your monthly statements. Call us, at 800-346-1090.
It’s important to remember that PCI DSS are guidelines and don’t in fact, guarantee complete security of cardholder data by any stretch (Target was considered compliant when breached). Compliance however, can go a long way in protecting the payment processing merchant against the constantly evolving security threats made possible by the remarkable cyber connectivity of today’s businesses, and the losses incurred due to a laissez-faire approach. Be diligent. It is YOUR customer’s data you are being entrusted with.