If your organization is in the business of accepting credit card payments, you know you need to be compliant with the standards set out by the Payment Card Industry Security Standards Council, and you should know what’s required of you. Now it’s time for the nitty-gritty: what do you actually need to do to make sure your company is PCI compliant?
Get on the Level
PCI compliance is required by the major credit card brands, including Visa, MasterCard, and American Express. The requirements for PCI compliance depend a bit on which cards your business is accepting and how many transactions you process annually. For example, if your company processes up to 1 million Visa transactions in a year, you’d be considered a Level 4 merchant. MasterCard, on the other hand, considers organizations with the same volume of transactions as Level 3 merchants. Your level helps determine what paperwork you’ll need to submit to show compliance.
The next step is to determine which Self-Assessment Questionnaire (SAQ) you need to submit. The SAQs vary based on where you’re accepting payments; vendors selling in a physical store will submit a different SAQ than those selling through an online one. Different types of online stores have different SAQs. The questionnaires are labelled A through D.
Assessing Your Compliance
Once you’ve determined which SAQ you need to use, you fill out the questionnaire to assess your compliance. The SAQs contain anywhere from 14 to 347 questions, depending on the version. Some vendors also need to submit quarterly external scans and will have to select an outside organization known as an Approved Scanning Vendor (ASV) to complete the scans. Organizations are required to submit “clean” scans, which means the scans are free of failing vulnerabilities. Once this is all finished, you submit the paperwork to verify that your business is PCI compliant. Many organizations will choose to perform scans earlier than the end of the quarter so that they have time to fix any vulnerabilities and perform necessary rescans.
What It Takes
Any merchant who wants to accept payment by MasterCard, Visa, American Express, or another major credit card will need to be PCI compliant. There are 12 core components in the latest version of the Data Security Standard, which include maintaining a secure network, monitoring and testing systems, implementing strong access controls, maintaining information security policies and vulnerability management systems, and protecting cardholder data. Each of the objectives can be broken down into smaller steps that make it easier for businesses to see what they need to do to ensure PCI compliance.
How Compliance Can Be Made Easier
Many of the businesses that need to be PCI compliant are small merchants—local shops and independent retailers—not just the big chains. Many e-tailers, especially smaller businesses that have their store set up through third parties, will need to submit quarterly scans and engage an ASV. Even large retailers may find the demands of compliance enormous, especially as they’re required to submit scans and answer lengthy questionnaires. Small retailers will find it difficult to meet the demands of compliance, either due to labour constraints or the costs associated with it.
One way businesses can ease the compliance burden is by using compliance management software. These programs are designed to monitor not only changes in legislation and standards, but also your systems and processes to ensure your organization is always compliant. Small businesses especially will find this useful, as the program can help monitor systems. Adding a vulnerability management system, as well can identify ways that processes can be improved.
Want help to be PCI Compliant?