When you purchase an item, you may not think twice about handing over your credit card. But with credit card fraud and identity theft happening to more than 10 million Americans each year, you need to make sure your information is secure.
The Payment Card Industry Data Security Standards (PCI-DSS), put into place in 2008, are a group of 12 broad rules, 61 processes and 148 sub-processes that define what companies accepting credit card transactions need to do in order to protect the security of cardholders’ information.
“Businesses are required to demonstrate their compliance, depending upon the quantity of credit card transactions they process, and the nature of the technology they use to process those transactions,” says Michael R. Dickson, CPA, CISA, CISM, director, Business Technology Group, GBQ Partners LLC.
If you’re a large merchant (Level 1), you’ll be required to submit to a third-party assessment of your PCI compliance. Smaller organizations (Levels 2-4) may engage a third party to assist them in completing the annual self-assessments and quarterly security scans.
Smart Business spoke with Dickson about the PCI-DSS and how to make sure your company is compliant with these standards.
How does PCI-DSS affect businesses?
The major credit card issuers developed the standards. Their vested interest in securing cardholder data and the merchants who use their cards is to reduce fraud and prevent financial losses. Initially, each of these institutions developed their own standards. They were all similar and aimed at protecting the privacy of user information, but they had their own specific way of communicating and enforcing these rules. PCI-DSS was designed to be adaptable to all brand institutions, so a business can be confident that, if they’re following these particular standards, they are in compliance with all bank rules.
The qualified assessments or self-assessments required for compliance give information about your organization and how you conduct business with your customers. The requirements are based on your size, the nature of your technology, and how you actually process cards.
What are some key things you need to understand about being PCI-DSS compliant?
Non-compliance has consequences. Many businesses, especially smaller ones, take a rather casual approach to compliance. Oftentimes, someone in the IT department will print off a form, check a bunch of boxes to say they are in compliance with the requirements, but don’t go into detail of how they do it. The business owner then signs the form without really understanding what the requirements are, and how well their organization is doing to meet the requirements. There’s a big risk for companies that take shortcuts. Consequences include potentially huge fines and the costs of notification, not to mention the damage to a company’s reputation and revenue stream that can result from a breach in customer credit card security.
More than 38 states have laws protecting consumers from data and privacy breaches and PCI compliance is the de facto standard for best practice in credit card protections.
There are no proactive enforcement mechanisms, unless a brand merchant chooses to react to a filing that has been submitted because they think it’s substandard.
If your merchant is not satisfied with the quality of your filings, and generally deems you to be a higher risk than its other customers, it may require a third -party assessment, or may even re-negotiate your fee structure or revoke your right to process credit card transactions through its institution. The biggest risk of non-compliance is if you have a breach and someone gains access to your information, or someone inside your organization sells or publishes it. The cost of dealing with lawsuits, insurance claims, canceled accounts and a damaged reputation can and will be significant.
How do you become compliant?
The first thing you have to do is determine what level of merchant you are. If you process less than 20,000 e-commerce transactions a year, you would be considered a Level 4 merchant, and can report annually on a self-assessment questionnaire. The criteria get tougher as you go up. A Level 1 merchant processes over six million transactions a year, and is required to engage a third party to complete the compliance assessment workpapers.
The second step is to perform an assessment of your technology environment to see how it measures up with a list of PCI specifications. Again, there are 12 high-level requirements, 61 different key processes, and 148 specific inquiries relating to those processes. For each of the requirements, it is advisable to have documentation of how your organization complies with each requirement. This documentation should be detailed enough to clearly explain the technologies that are in use, but it also should be clear and concise so executive management who must sign an attestation of compliance can understand what the requirements are, and what specific solutions your company has implemented to address the inquiry/risk. For each requirement for which you don’t have a procedure or technology in place to mitigate the risk, you are required to demonstrates knowledge of the specification you’re not performing, and explain why the other things (i.e. compensating controls) you’re doing meet the same objective. Ultimately your bank will determine if you’re in compliance or not. It wants to see if you’ve designed new processes and procedures, or that you’ve implemented the procedure that didn’t exist.
What are the benefits of compliance?
Your systems and data will be safe and secure, you’ll have a low risk of any adverse consequences occurring, and the customers’ trust you’ve built up over the years won’t be shattered in an instant by a careless lack of attention to detail when securing your card-holder data computing environment.
Michael R. Dickson, CPA, CISA, CISM, is the director of the Business Technology Group at GBQ Partners LLC. Reach him at (614) 947-5259 or firstname.lastname@example.org.