Are You PCI Compliant?
NCR Compliance Newsletter:
Please follow the links below for the most current Compliance Newsletters from NCR
Compliance Newsletter - May 2012
Compliance Newsletter - January 2012
Compliance Newsletter - October 2011
Compliance Newsletter - June 2011
Compliance Newsletter - March 2011
Compliance Newsletter - December 2010
Compliance Newsletter - September 2010
Compliance Newsletter - January 2010
Frequently asked questions about PCI DSS compliance
- What exactly is PCI DSS compliance?
- The acronym stands for “Payment Card Industry Data Security Standard” which sounds pretty much like what it is – a set of requirements mandated by the payment card industry that all merchants who process credit card payments are required to comply with.
Specifically, the PCI Security Standards Council has developed a set of The twelve requirements that merchants must implement and follow.
- What’s the purpose of PCI compliance?
- To protect customer credit card information.
- Who does PCI compliance apply to?
- Any merchant who accepts and processes credit card payments.
- Wait. Any merchant? We’re just a small mom-and-pop shop!
- Yes, any merchant who processes credit card payment transactions must be PCI compliant. Remember, you’re just as liable for a data breach as a big retailer would be.
- If I don’t store credit card data, does PCI apply to me?
- Yes, it does. If you own the merchant ID, then you should assume that you are responsible for maintaining PCI compliance. While you may not store credit card data, you still perform credit card transactions. The credit card data “in flight” is as important to protect and secure, and so you must assure there is no leakage of data through unsecured networks.
More importantly, you need to make sure that you are protected from the inside, where breaches occur more often than from the outside. This is one consideration why PCI compliance is about complete store security, not just isolating credit card transactions.
- Isn’t my technology provider liable for such breaches?
- No, the burden of liability falls squarely on the merchant. It is the merchant’s responsibility to secure the technologies they directly and indirectly use to handle customer payment transactions.
- Why are some retailers under the impression that PCI compliance is covered by their technology providers or credit card processors? I’m getting mixed information.
- There are too many moving parts between deadlines, devices, and communication infrastructure. Some retailers may mistakenly believe someone else has the ball or are confused about liability and handoff issues with their credit processors. But if a breach of cardholder data occurs, it is the retailer who is liable. The retailer would have to prove the breach did not occur at its location or corporate office, which would be difficult for a retailer who is not PCI compliant to do.
- When is the deadline for PCI compliance?
- All applicable merchants are expected to be in compliance now. Additionally, it’s a mandatory requirement, not voluntary.
- What happens if you’re not compliant? What’s the risk associated with non-compliance?
- Put simply, there’s a lot of money at stake, from industry fines to the permanent damage of your company brand in the event of a data breach. In addition to heavy industry fines, state governments are getting involved, too. Texas, Minnesota, and California were all early movers in developing legislation to shift liability to the merchant. If you do business in any state with related legislation, PCI compliance is not just an industry mandate; it is increasingly a state law in some jurisdictions. Fines and repercussions in such states will generally be more severe in the event of a breach.
Points for consideration:
TJ Maxx stores’ parent company is an often-cited example of a major data breach. According to an Information Week article, more than 45 million card numbers were stolen from its IT systems. The article also stated that “the company recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fee.”
According to a study published in 2009 and covered in the Washington Post article “Data Breaches More Costly Than Ever,” organizations that have a data breach in general pay on average $6.6 million dollars to rebuild their images and keep customers.
The same study recounts how one firm that experienced a data breach also took a hit on Wall Street, with its stock price falling 42% the day after the data breach was disclosed.
So PCI DSS should really be considered a business requirement, regardless of the fact that it’s also an industry mandate.
- What can happen to my customers if a data breach occurs in my business?
- Consumer identities can be illegally bought online for as little as $14 – including credit card numbers, social security numbers, date of birth, and more. A carefully built credit history can be ruined in a matter of hours, bank accounts wiped out, and more. It can literally take years for consumers to deal with a stolen identity incident.
- Are merchants ever audited for PCI compliance?
- Yes, by industry-certified “Qualified Security Assessors.”
- How important is it to have an independent person verify that my systems are PCI compliant?
- Generally speaking, it is a good idea to have someone check the state of compliance for your business after you put solutions in place. If you are a smaller business, then you should work with a firm that has sufficient security expertise to ensure compliance. This process to verify compliance need not be an expensive process.
- So once I’m PCI compliant, I’m done, right?
- You are never done with PCI compliance; it’s a routine, day-to-day process and policy. For example, maintaining activity logs, having the ability to fix your systems, regularly track activities, and being aware when something looks suspicious are not one-time events. The day you become fully compliant is the beginning of the next cycle of compliance. However, automating these processes and alerts greatly minimizes interruptions to your business operations, and makes maintaining compliance much easier than you might expect.
- Is there any one solution that takes care of all 12 requirements for PCI compliance?
- To our knowledge, no. Again, that’s because some of the requirements are broader, policy-based guidelines. However, ATC can certainly walk you through all 12 requirements and explain which ones can be handled with software solutions.
- Aside from the broader requirements, which tools are necessary to “achieve and maintain” PCI compliance?
- At a minimum, a good PCI compliance solution should:
Perform vulnerability scanning and alerting
Automate software patching
Provide a help desk or other type of system to support incident resolution
Provide a system that measures and demonstrates efforts towards compliance
Maintain auditable event and activity logs to demonstrate compliance
- How do I demonstrate I’m PCI compliant? Who do I demonstrate it to?
- The PCI Security Standards Council has certified certain security companies as “Qualified Security Assessors.” Essentially, these entities audit and verify if you’re in compliance. What they require from you is proof you’re following the twelve requirements for PCI compliance. You can provide this proof with system logs, reports, and Self-Assessment Questionnaires. Additionally, you’re required to submit quarterly ASV-certified reports to your acquiring bank and the card payment brands they do business with.
Businesses with larger transaction flows must do an annual on-site assessment completed by a PCI approved QSA and submit the findings to each acquirer. Businesses with smaller transaction flows may be required to submit an annual Attestation within the Self-Assessment Questionnaire.
- How do I get PCI compliant?
- The payment card industry outlines 12 basic requirements for PCI compliance. Some are very specific, for example, the requirement to deploy and regularly update anti-virus protections. Others are far broader, like the requirement to “maintain a security policy that addresses information security.” Additionally, many of the requirements are continuous, not just one-time tasks.
So with these factors in mind, becoming and staying PCI compliant depends on your approach. For larger retailers, multipurpose solutions like OmegaManager and OmegaSecure can accelerate and maintain PCI compliance more efficiently than using a patchwork approach of different solutions from different vendors.
For small to midsize merchants, many PCI compliance security and documentation processes can be automated by subscribing to a hosted service like OmegaSecure. With the latter, most of the work is done for the retailer at an affordable subscription fee.
- Where can I find the PCI Data Security Standards (PCI DSS)?
- The twelve requirements can be found on the PCI Security Standard Council’s Website: https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml.
- Which teams within a typical merchant organization are typically responsible for PCI compliance?
- Ultimately, the correct answer should be: everyone. The PCI DSS covers a wide range of technical and non-technical processes, so there is a little something for every department. For example, the IT department might own the requirement to “Build and maintain a secure network,” but the Operations department might be the one to “Restrict physical access to cardholder data.” However, that doesn’t mean that you have to deploy a specific technology solution for each department. ATC’s multipurpose solutions can be used by many departments to handle a number of PCI compliance, security, and systems management functions.
- We have a tremendous number of IT projects on our plate, and PCI compliance is at the bottom of the list. Why should that change, when we’re unlikely to get a breach, and it’s probably cheaper just to pay the fines than to spend all the time and money being PCI compliant?
- Paying fines for non-compliance and/or a breach may sound like an option you can live with, but clearly it is not so. Fines are steep and may also result in denial of your ability to accept credit cards as a merchant. It also affects your brand – the damage control costs can be very significant. In the end, the PCI compliance standards are all about protecting your business and everything it represents to you, your employees, and your customers. Although achieving and maintaining PCI compliance is not an overnight process, it is a lot cheaper to implement these practices and processes than to leave it to chance.
- I’d feel a lot better about PCI compliance if I knew it delivered some real benefits to my bottom line. Does it? Indeed it does.
- PCI can be viewed as a way to improve operational efficiencies. For instance, by automating the process of applying patches or configuration changes to your store systems, you not only minimize the system downtime but you also improve efficiency—because now your IT employees won’t have to make trips to individual stores to do these updates manually. That’s just one example of an automated process. Ultimately, implementing the requirements of PCI can help you proactively become more efficient, which helps you go up the revenue curve and down the cost curve.
- I’ve still got questions about PCI compliance and not sure where to go from here.
- There’s so much information about PCI compliance on the Internet, you might feel overwhelmed trying to sift through it all. If you’d like to talk to a live expert who can really simplify the subject for you, we invite you to call ATC. There’s no obligation. Schedule your complimentary consultation here.
New to Point of Sale?
Unlike a lot of online retailers, Kline CR knows the product lines and how our systems can increase productivity, streamline your business processes and most importantly, increase your bottom line.