In the digital age, almost every single business accepts payment cards. To protect people’s financial and personal information during credit, debit and gift card transactions, businesses should take serious steps. When it comes to losing this information, the companies that will be hurt the most like Mastercard, Visa, American Express and Discover have industry-wide compliance regulations to protect themselves. This regulation is called PCI DSS, otherwise known as Payment Card Index Digital Security Standard. Today we’re going to take a look at this regulation.
Understanding PCI Compliance
The credit card companies we mentioned above make up what is called the PCI Security Standards. This mandate is for any business who wants to accept payment cards. That basically means any business, as long as they accept debit, credit and gift cards.
If your business stores information or processes payments using digital payment cards, they need to be PCI compliant. Here are 10 actions you need to take to meet these regulations:
- Install all the sufficient network security tools (antivirus, firewalls, and more) that can protect card data
- Restrict card information data to “need to know” basis
- Assign user ID to all users with access
- Test your system security on the regular
- Encrypt transmission of card data across your networks and public networks
- Change default passwords and make them complex
- Protect your physical and digital access to cardholder and card data
- Train your staff on best practices of accepting payments
- Maintain and monitor system security
- Create written policies and procedures that keep the importance of securing cardholder data
Thankfully, most businesses already fo these things to keep their data safe, and companies that don’t are in breach of regulation and can face major consequences.
PCI and Business Size
Based on PCI regulators, the size of your business is in direct proportion to the amount of risk that comes with your business. PCI Security Council mandates break down businesses into four different merchant levels:
- Merchant Level #1: This is a business that processes over 6 million payment card transaction per year.
- Merchant Level #2: This is a business that processes between one million to 6 million payment card transactions per year.
- Merchant Level #3: This is a business that processes between 20,000 to one million payment card transactions per year.
- Merchant Level #4: This is a business that processes less than 20,000 payment transactions and fewer than one million overall payment card transactions per year.
Here are the responsibilities for each merchant level:
Merchant Level #1
Massive business online brings along even more responsibility. PCI regulations state that Level #1 merchants need to:
- Use a Qualified Security Assessor (QSA) to perform a yearly Report on Compliance (ROC)
- Complete a quarterly network scan with an Approved Security Vendor (ASV)
- Complete Attestation of Compliance Form for PCI Council records
Merchant Level #2
Level #2 businesses need to:
- A yearly Self-Assessment Questionnaire (SAQ)
- Complete a quarterly network scan with an ASV
- Complete Attestation of Compliance Form for PCI Council records
Merchant Level #3
Medium-sized businesses that fall under Level #3 need to:
- Perform a SAQ
- Complete a quarterly network scan with an ASV
- Complete Attestation of Compliance Form for PCI Council records
Merchant Level #4
Small businesses usually are under this level and need to:
- Perform a SAQ
- Complete a quarterly network scan with an ASV
- Complete Attestation of Compliance Form for PCI Council records
Data security and privacy is more important than ever and the payment card industry does a great job policing it when it comes to card payments. If your business is found to not be in compliance with their regulations you can face severe penalties and even have your privileges revoked. If you need help with these Payment Card Index Digital Security Standard regulations, give MyTek a call at 623-312-2440.