How to Comply With the New Payment Card Industry Data Security Standards
The new Payment Card Industry (PCI) standards, which recently went into effect, are meant to help merchants beef up their data-security practices to better protect their customers’ credit card information — a commendable endeavor, indeed. But figuring out how to actually comply with the standards has left many merchants scratching their heads. Following are the answers to frequently asked questions about the standards.
What is PCI? It’s a new, unified set of data-security standards from Visa, MasterCard, American Express and Discover card companies. Until this year, each card company had its own data-security standards. PCI, then, is a way for merchants to complete one data-security auditing process annually, and have that process be recognized by all the major card companies.
Who is expected to adhere to the new standards? Any merchant or service provider that stores, processes or transmits credit cardholder data is expected to comply with the new PCI standards. This applies to catalogers, etailers and brick-and-mortar retailers. The necessary steps you must take depend on how many credit card transactions you process annually.
The standards have been passed down by the card associations to acquiring banks, such as First National Merchant Solutions and Litle & Co., both of which count many catalogers and etailers as clients. The acquirers, in turn, are mandated to ensure their clients/merchants comply with the PCI standards.
Why was PCI instituted? It’s intended to help protect both consumers and merchants from data-security breaches. Its purpose is to unveil to merchants the vulnerabilities in their credit card processing methods, and to encourage them to fix such problems before hackers and criminals discover them.
Is the auditing process mandatory? Yes, for all merchant levels except Level 4, which is done at the discretion of the merchant’s acquiring bank, says Bob Botelle, vice president of customer service at Litle & Co., Lowell, Mass.
What exactly are the requirements? Following are the 12 PCI standards:
1. Install and maintain a firewall configuration to protect data.
2. Don’t use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored credit card data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by “business need-to-know.”
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Each of these 12 requirements has several subcategories of compliance procedures. For example, to comply with requirement No. 3, you must not store sensitive authentication data (e.g., card-validation codes) after authorization has been given. You must mask customers’ full credit card numbers when they’re being displayed across your contact center (the last six or four digits can be displayed). And you must render cardholder data unreadable wherever it’s stored, including on your nightly backup tapes.
To retrieve the 12-page PDF that outlines in detail all of the new requirements, ask your acquiring bank, or visit www.visa.com and type into the search field: “Payment Card Industry Data Security Standards.” Or scroll to the bottom of this article, where we’ve posted links related to PCI.
What is the questionnaire I’m supposed to complete? If you’re a Level 2 or 3 merchant (see chart below left), your acquiring bank requires you to complete the 10-page PCI Self-Assessment Questionnaire. Level 4 merchants complete the questionnaire only if required to do so by their acquiring banks. The questionnaire is not required of Level 1 merchants.
The 75 questions you’ll find in the questionnaire are grouped under the 12 PCI standards. For example, the following questions are listed under requirement No. 8 (assign a unique ID to each person with computer access):
- When employees leave the company, are those employees’ user accounts and passwords immediately revoked?
- Are all passwords on network devices and systems encrypted?
- Are all user accounts reviewed on a regular basis to ensure that malicious, out-of-date or unknown accounts do not exist?
You will answer each question with either “yes,” “no” or “N/A.” If you answer “yes” to all questions, Botelle says, you need do nothing else. But for any question that you answered “no,” you must fix the problems the questionnaire has brought to light in order to be compliant with the new regulations, he adds.
Ask your acquirer for the Self-Assessment Questionnaire, or download the document from www.visa.com. Or scroll to the bottom of this article for the link to the questionnaire.
Botelle advises his merchant clients to give their information technology personnel the questionnaire with instructions to answer the questions honestly. “We’ll then work with the merchant and an outside auditor to determine the best way to fix those problems,” he says.
Many of the requirements involve common sense, Botelle continues. “For example, do criminal background checks on employees who take and can view customers’ credit card numbers. And keep credit card numbers in locked rooms to which only managers have keys.”
What about the quarterly online scans? As part of the compliance process, Levels 1, 2 and 3 merchants must have all of their external IP addresses scanned quarterly for vulnerabilities. (The scanning process is recommended, but not required, of Level 4 merchants.) The Network Security Scans must be conducted by a third-party compliant security-scanning vendor. Ask your acquirer for the list, or scroll to the bottom of this article for a link to the list.
The scanning results are meant to highlight for a merchant its patch management and other security measures that can help thwart Internet hackers.
Why is it important that merchants take the new standards seriously? “If a merchant’s system gets hacked into, the PCI fines are passed through to them by the acquiring bank,” Botelle says. And such fines can be so stiff they may actually put some merchants out of business, he notes.
Moreover, if you can’t or won’t comply with the regulations, the acquirer may stop servicing your business, or it will institute a higher reserve in order to cover your acquirer’s fines and penalties. “The liability can be overwhelming,” Botelle says.
Paul Garcia, vice president of risk management at First National Merchant Solutions, an Omaha, Neb.-based acquiring bank, says the biggest reason to comply is to protect your company’s reputation. “Consumer confidence is shaky, given the recent news of so many [data-security] breaches,” he explains. “Your brand image is on the line if vulnerabilities in your data-security systems are uncovered.”
What steps should merchants take in the compliance process?
- Raise awareness in your company about PCI. “Some companies have not made PCI a priority across their entire enterprises,” Garcia says. “Not everyone has fully embraced it yet.”
- Inventory your hardware, software and payment-processing procedures. This will give you a better understanding of how you can adhere to the PCI standards, says Paige Rivard, manager of client services for First National Merchant Solutions.
- “Enlist the services of a qualified data-security company as soon as possible to help with the auditing and compliance process,” Rivard notes. Ask your acquirer for a list of PCI-program-approved, data-security vendors.
- Most importantly, don’t panic. Botelle advises, “Take a step back and look at your systems through the questionnaire’s eyes. Oftentimes merchants find they need to reinstitute a procedure they once had in place, for example, encrypt credit card data. Sometimes a merchant just needs to redefine a procedure.”
What are the usual challenges to compliance?
- Time: Garcia says many merchants underestimate the time needed to complete the internal auditing process. The timeframe depends on the size of your operation, how old or complex your computer systems are, your current payment-processing techniques and other variables, he notes. “But an intrusion that compromises your system,” he continues, “would take much longer to resolve than the upfront compliance process.”
- Systems: Says Botelle, “If you have an old mainframe or other legacy systems, becoming compliant can turn out to be a big process.”
What are PCI’s benefits to merchants? The auditing process shows your company’s vulnerabilities to threats from the outside world, Botelle says.
Are there any technologies that can help? Ask your commerce management software provider if it offers any modules that can help you comply with the regulations. Commerce management software provider CommercialWare, for example, recently released updated versions of its CWDirect, CWStore and CWCollaborate solutions that reportedly allow merchants the ability to further encrypt credit card data, cloak credit card numbers, remove card security numbers after authorization, and produce an audit trail of when card data is viewed. For more, visit www.commercialware.com.
Who can offer more assistance? Your primary assistance should come from your acquiring bank. Word of caution: The new standards may put an enormous strain on the industry’s acquiring banks. However, two of them, First National Merchant Solutions and Litle & Co., seem highly prepared to help their clients through the auditing process.
For example, for its clients Litle & Co. set up a special Web portal that offers more information on PCI standards. “Clients can log on, plug in their external IP addresses, take the questionnaire, and their information is automatically submitted to an auditor who reviews it,” Botelle explains. “We negotiated an inexpensive rate for this service for our clients. Our clients must use this service, so we’ve made it as easy to use as possible for them. And this way, we also know the status [of their PCI compliance].”
In the end, Botelle puts the new standards in a positive light for merchants: “The PCI process has strengthened the relationships between merchants and acquirers. The acquirer now needs to better understand the merchant’s business.”
Determine Your PCI Level
- Any merchant, regardless of acceptance channel, processing more than 6 million Visa or MasterCard (MC) transactions per year
- Any merchant that has suffered a hack or an attack that resulted in an account data compromise
- Any merchant that Visa or MC (at its sole discretion) determines should meet the Level 1 merchant requirements to minimize risk to the Visa/MC system
- Any merchant identified by any other payment card brand as a Level 1
- Any e-commerce merchant processing 150,000 to 6 million Visa or MC transactions per year
- All merchants exceeding the Level 2 criteria of a competing payment brand
- Any e-commerce merchant processing 20,000 to 150,000 Visa or MC transactions per year
- All merchants exceeding the Level 3 criteria of a competing payment brand
All other merchants, regardless of acceptance channel
Source: First National Merchant Solutions