No matter what type of business you are in, you'll need to take payments from customers at some point. In many cases, these customers will prefer to pay with a credit or debit card, thanks to their convenience, ease of use and benefits for the business. In processing these payments, you'll want to ensure that your customers' sensitive financial data is as secure as possible.
As data hacks and identity theft continue to make the headlines, online security is more important than ever before. As a merchant, you are required to abide by the Data Security Standards (DSS) set out by the Payment Card Industry (PCI). Not only does following these rules protect your customers, but it protects your business as well, reducing the likelihood of fraudulent purchases. Here's what you need to know about PCI compliance for your business.
Levels of PCI Compliance
The compliance requirements vary depending on the size and scope of your business. This is broken down into four merchant levels:
- Level 1 - Any business processing more than 6 million credit card transactions per year will be in this category. The level also includes businesses that have experienced a data hack in the past. An independent security assessor will evaluate compliance annually for validation. The business is also required to complete quarterly network scans.
- Level 2 - Businesses processing between 1 and 6 million card transactions each year receive Level 2 designation. These businesses will need to complete an annual PCI self-assessment questionnaire and quarterly network scans to validate compliance.
- Level 3 - Level 3 businesses process between 20,000 and 1 million credit card transactions annually. As with Level 2, an annual self-assessment and quarterly network scans are required to validate compliance.
- Level 4 - This level is for those businesses processing fewer than 20,000 credit card transactions per year. At this level, compliance validation is not required but strongly recommended. Businesses must still be in compliance with PCI requirements, even if they choose not to validate.
PCI Compliance Requirements
PCI breaks down the compliance requirements into six primary categories. All requirements must be met in order to maintain compliance.
Build and Maintain a Secure Network
Every business that processes credit card payments must have firewalls in place to protect financial data. Firewalls should be updated and maintained regularly to ensure that it protects against the latest online security threats. When it comes to network security, avoid using default passwords for network access. Passwords should be complex, incorporating uppercase and lowercase letters, as well as numbers and symbols. You should update your passwords periodically as well to minimize security risks.
Protect Cardholders' Data
Any cardholder data that your business stores needs to be secure. Furthermore, all credit card transmissions need to be encrypted to prevent data theft in transit. Encryption procedures should be updated regularly to incorporate the latest developments.
Maintain a Vulnerability Management Program
All computer systems in your business should be equipped with anti-virus software to protect against data hacks. Any proprietary software or systems should be secure as well. Software should be updated frequently to protect against new viruses as they are introduced.
Implement Strong Access Control Measures
All access to customer financial data should be on a need-to-know basis, meaning that only those who truly need access should be granted it. Each user who has access to this data should have a unique user ID to enable usage monitoring.
Regularly Monitor and Test Networks
All access to customer data should be monitored to protect against internal threats. All security systems and processes should be tested frequently to ensure that everything is working as it should.
Maintain an Information Security Policy
Your organization needs to have a policy in place outlining how you will handle network and data security. All employees should be aware of and understand the policy so that they can abide by the standards set forth in it.
Maintaining PCI Compliance
If this all seems a bit overwhelming, that is perfectly understandable. As technology continues to advance and hackers become more sophisticated, it is likely that the requirements for PCI compliance will continue to become even more complex. To help your business maintain compliance, even as the rules continue to evolve, PCI compliance software, such as ZenGRC by Reciprocity can be incredibly helpful.