B2B ecommerce was already expanding rapidly coming into 2020, but COVID-19 has only accelerated the trend. According to McKinsey, 66% of B2B leaders now believe ecommerce solutions are essential, up from 48% pre-COVID.
If your B2B or consumer business accepts card payments—whether it is one or thousands—you must abide by the rules implemented by the PCI DSS. Credit card security regulations can be confusing but are essential to understand. Read on to see many of the most common questions answered.
What is PCI DSS?
It stands for Payment Card Industry Data Security Standard. This is a security standard that is in place for all businesses and organizations that handle cardholder information. It is designed to ensure that all merchants process, transmit, and store card details in a secure environment. The aim is the reduction of credit card fraud that is so frequently caused by data exposure.
The first version of PCI DSS was released in 2004, when MasterCard, Visa, American Express, Discover, and JCB aligned their individual security policies to create the Payment Card Industry Data Security Standard. Since then, PCI DSS has been updated regularly, with the most recent version, 3.1, released in April 2015.
Does PCI concern me?
If your customers ever pay for your products or services via debit or credit card, whether online or physically, then yes, you do need to be concerned with PCI—even if you only accept credit cards over the phone. PCI is relevant to any merchant or organization that handles cardholder data, including the acceptance, transmission, and storage of such data.
Many business owners mistakenly believe that PCI does not apply to small companies. This is definitely not the case. It doesn’t matter how many types of cards you accept or how frequently you engage in these types of transactions, PCI is a must.
What is cardholder data?
Sensitive Authentication Data must be protected. This includes PINs, CVV2, and full magnetic stripe data. Aside from this, the full Primary Account Number and the service code, expiration date, and cardholder data count as cardholder data.
What are the PCI DSS requirements?
The most recent PCI DSS requirements are separated into six general principles, with each principle featuring at least one requirement. At present, there are 12 requirements that need to be followed. From firewalls and changing passwords to masking your IP with a VPN, there are many security steps businesses must consider. These are outlined briefly below:
Build and maintain a secure network.
- You need to defend cardholder data via the induction and maintenance of a firewall arrangement.
- You should not employ vendor-supplier defaults for safety parameters, such as system passwords.
Protect cardholder data.
- Collected cardholder details need to be protected.
- The transmission of cardholder data across public and open networks must be encrypted.
Uphold a vulnerability management program.
- You must utilize antivirus software and this needs to be updated frequently.
- Secure applications and systems must be developed and maintained.
Put powerful access restriction rules in place.
- Business need-to-know must be practiced to make certain access to cardholder data is limited.
- Every individual with computer access needs to be assigned a unique ID.
- Physical access to cardholder data should be restricted.
Monitor and test networks on a frequent basis.
- Access to cardholder data and network resources must be tracked and monitored.
- Security processes and systems must be tested regularly.
Maintain an information security policy.
- You must maintain a policy that addresses information security.
Are any elements of PCI compliance voluntary?
Unfortunately not, it is all mandatory. If you transmit, process, or store cardholder data, you need to comply with all of the PCI standards. This is why IT strategy is more important than you think. You’ll need an expert approach to ensure you’re compliant.
What will happen if I do not comply with PCI?
You are likely to face large fines, brand damage, costly audits, and card replacement costs, which can be difficult for any business to absorb. PCI is not a law, yet it is implemented by major card brands.
What are the penalties for non-compliance?
There is no official publication regarding penalties. However, the acquiring bank is fined and then this is passed onto the offending merchant. Not only this, but your transaction fees will increase if you still manage to hold onto your relationship with the bank, as the bank may terminate your contract.
How much does PCI compliance cost?
This depends on your business and your Merchant Level (see below).
What is the point of PCI?
PCI has been designed to ensure that customers are protected from the likes of fraud and identity theft, which is rife at the moment.
If I outsource card processing, do I need to be concerned with PCI?
Yes. First, you need to make sure that the third-party processor you are utilizing is PCI compliant. Second, you need to be compliant yourself, as you will still be handling card data at some point, i.e. ,when you accept the payment or when you process a return.
Does PCI only apply to credit card transactions?
PCI DSS relates to all types of cards, including credit cards, debit cards, and pre-paid cards, from the five main card brands that established the industry-standard: Visa, MasterCard, JCB American Express, and Discover.
What do I have to do to satisfy the PCI requirements?
As a small-medium business owner (or possibly COO or controller in a larger enterprise), it is your responsibility to first decipher what Self Assessment Questionnaire (SAQ) is applicable to your business. There are different questionnaires to choose from.
Once you have determined which SAQ you need, you then need to fill it out in accordance with the instructions. After this, you should complete the relevant Attestation of Compliance and submit the SAQ and Attestation of Compliance.
You may be asked to submit extra documentation as well in some cases. Moreover, some merchants are required to complete a vulnerability scan, after which they need to supply PCI with evidence of this. You must ensure that this scan is completed with a PCI SSC Approved Scanning Vendor.
Can I do my own Self Assessment Questionnaire?
Yes. But, if you are unsure, it is advisable to seek outside assistance.
What PCI compliance ‘Merchant Level’ am I?
The PCI DSS outlines four merchant levels, and you will fall into one of these categories. The levels are determined based on the volume of Visa transactions over a year:
- Merchant Level 1 is for any merchant that processes in excess of six million Visa transactions per annum.
- Merchant Level 2 is for anyone that processes between one million and six million Visa transactions per annum.
- Merchant Level 3 applies to those that process between 20,000 and one million Visa e-commerce transactions per year.
- Finally, Merchant Level 4 is for any merchant that processes less than 20,000 Visa e-commerce transactions per annum as well as all other merchants that process up to one million Visa transactions per year.
Breaking this down in a simpler manner…
- Do you process more than 6m Visa transactions, across any channel, per year? If so, you fall into the Merchant Level 1 category.
- Do you process between 1m – 6m Visa transactions, across any channel, per year? If so, you fall into the Merchant Level 2 category.
- Do you process less than 1m Visa transactions, across any channel, per year? If so, you fall into the Merchant Level 4 category.
- Do you process between 20,000 – 1m Visa transactions, e-commerce only, per year? If so, you fall into the Merchant Level 3 category.
- Do your process fewer than 20,000 Visa transactions, e-commerce, only per year? If so, you fall into the Merchant Level 4 category.
Do I need to carry out the SAQ separately for each of my business locations?
In most cases, you only need to validate PCI compliance once if your business locations process under the same tax ID.
Is a vulnerability scan necessary for compliance?
This is dependent upon the Self Assessment Questionnaire you qualify for. This is software that looks for vulnerabilities in your system and is required once per quarter for those that are applicable.
How do I report someone that is violating the PCI DSS?
The first thing you should do is reach out to the organization or merchant that is failing to be compliant. There is a high chance that they may not be aware of their actions and the implications of their lack of security, so it’s always a good idea to give them the chance to put the situation right themselves.
What if the merchant or organization still fails to comply? In this case, you will need to take action, as the individual in question is knowingly breaching the rules of PCI and making no effort to put this right.
There are two approaches you can take. The first is to report the violation directly to the credit card processor the company uses. However, if you don’t know what this is, go directly to the credit card brands, such as MasterCard and Visa.
There are severe fines in place for those who do not comply with PCI DSS. If a data breach occurs, the financial damage increases, as fines from credit card companies and banks arise too.