PCI Compliance & Security

Does my business need to be PCI compliant?

The short answer is yes - if you are a merchant and you accept payment cards, then you must be PCI compliant.

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period, however, most businesses fall into the Level 4 merchant category and need only complete the PCI Self Assessment Questionnaire.

In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. The PCI DSS requires that all merchants with Internet-facing IP addresses perform quarterly external network scans to achieve compliance. Acquirers may require submission of the quarterly scan reports and/or questionnaires by level 4 merchants. Any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

What are the consequences of a data security breach?

If you are a merchant that expereinces a payment card data breach and are found to be in violation of PCI compliance standards at the time of this breach, you could be looking at any one of many consequences. These inlcude but are certainly not limited to:

Severe company reputation and brand damage
Customer lawsuits for personal credit destruction
Fines of up $500,000 per incident
Fines and remediation costs of up to $300 per compromised payment card record

Think your organization has enough modern network security to alleviate PCI compliance? Just ask TJX.....now the poster child for credit card security breaches. During an 18 month period starting in July 2005, the parent company of TJ Maxx, Marshalls, Winners and HomeSense, was targeted by hackers who exploited a weakness in the store's wireless network security from outside of the buildings downloading almost 100 million credit card numbers. TJX originally estimated that the breach had cost them $118 million but subsequent independent reviews place the estimate much higher at $1.35 billion once all the dust has settled.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard, which is a comprehensive security standard for protecting sensitive cardholder data. The PCI DSS standard is published by the PCI Security Standards Council (www.pcisecuritystandards.org) which is is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards.

PCI DSS lays out detailed rules which are to be followed by anyone who is handling sensitive credit card data. This data includes, but is not limited to: card number, magnetic stripe data, Personal Identification Numbers (PIN), and card security codes (CAV2/CVC2/CVV2/CID).

PCI compliant entities must renew their compliance annually, which generally includes submission of security documentation and procedures along with an on-site audit of the organization. A qualified PCI DSS assessor must be hired to perform the this audit by the organization requesting compliance status. The PCI assessor then submits a Report On Compliance (ROC) to the PCI Security Standards Council.

Depending on the size of your business, you may be able to avoid some of the more expensive and time consuming aspects of PCI compliance. Contact our sales team for more information on requirements for compliance.

How do I become PCI compliant?

The PCI DSS follows common-sense steps that mirror security best practices. There are 3 steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process:

1. Assess - identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.

2. Remediate - fix vulnerabilities and do not store cardholder data unless you need it.

3. Report - compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.

To learn what your specific compliance requirements are, check with your card brand compliance program:

Visa Inc - www.visa.com/cisp
MasterCard Worldwide - www.mastercard.com/sdp
American Express - www.americanexpress.com/datasecurity
Discover Financial Services - www.discovernetwork.com/disc.html
JCB International - www.jcb-global.com/english/pci/index.htm

How can I reduce my exposure and liability?

Reducing exposure and reducing liability go hand-in-hand. The best way to do both is to use a solution where you do not ever store card numbers for any purpose. If you're a store, this means making sure that your credit card terminals and POS machines never store credit card data.

If you are a subscription or recurring service provider, or if you have memberships where you need to store card data for recurring charges, then Caledon Card Services' Tokenization solution may be able to help. Our Tokenization system offloads the responsibility for card number storage onto us, reducing your exposure and liability. All credit card information is stored by Caledon, and you can initiate charges against it by simply providing an account number.