esign interactive video

The Payment Card Industry Data Security Standards (PCI DSS) are a set of regulatory standards designed to ensure the security of credit card information. PCI compliance requirements apply to any merchant handling credit card transactions.

PCI compliance standards are designed to reduce risks such as credit card fraud, identity theft, and credit card hijacking. This article provides a set of instructions outlining what you need to remain PCI compliant, including a bonus PCI compliance checklist you can use when assessing your compliance needs.

In this article, you will learn:

What Is PCI Compliance?

Payment Card Industry – Data Security Standards (PCI DSS) are regulations that apply to any business that hosts, handles, or transmits credit card data. It also applies to any web-based company, requiring that data be hosted on PCI-compliant hosts. The standards were created by several major credit card companies, including American Express, Discover, Mastercard, and Visa.

PCI DSS is designed to ensure that vendors consistently and reliably implement data protection measures. The goal is to reduce opportunities for attack or data theft. To accomplish this, vendors must use a secure Card Data Environment (CDE). This environment is key to reducing the risk that comes with eCommerce sites and reliance on Internet connections.

Risks that eCommerce sites face without protections include:

  • Credit card fraud—attackers use stolen credit cards or card numbers to make purchases.
  • Identity theft—attackers use compromised credentials to make purchases with saved credit card information.
  • Credit card hijacking—attackers steal credit card information by redirecting customers to fake logins or carts.

Any eCommerce vendor’s information security strategy should include continuous efforts to ensure PCI compliance. This includes non-traditional vendors, including municipalities, banks, and universities. As of 2019, this also includes developers who design applications for accepting or handling credit card information.

What Is Required for PCI Compliance?

When establishing your PCI compliance strategy there are numerous factors you need to account for.

Build privacy through secure networks and systems

  • Configure firewalls to filter and protect consumer data
  • Reset defaults supplied by vendors for system credentials and security parameters
  • Encrypt data at rest and in transit, especially across public networks
  • Ensure continuous monitoring and logging of network activity

Implement secure access controls and privacy measures

  • Limit access to payment data using the principle of least privilege
  • Implement authentication measures for access to systems and data
  • Limit physical access to consumer data
  • Implement an incident response plan to respond to a cardholder data security incidents (there may be additional, specific requirements for each payment card vendor)

Maintain your vulnerability management policies

  • Implement antivirus to detect, prevent, and remove malware
  • Develop and maintain secure applications, networks, and systems
  • Routinely audit PCI compliance processes and policies

PCI Compliance Checklist: 7 Steps to Achieve PCI Compliance

 

PCI compliance requires the general measures mentioned above as well as seven specific steps necessary for PCI verification.

  1. Determine your PCI level—requires knowing how many transactions you process annually. These transactions are then used to determine the requirements for each card you support.
  2. Map the flow of cardholder data—determine the flow of data from start to finish, including any applications, users, payment systems, and storage that touch credit card data.
  3. Do the Self-Assessment Questionnaire (SAQ)—the SAQ helps you validate PCI compliance across six control measures with a total of 12 requirements. If you are PCI level one, you need a PCI-approved auditor to verify this checklist.
  4. Fill out the Attestation of Compliance (AOC)—the AOC is a document confirming that you have fulfilled and verified all necessary compliance measures. It varies according to the PCI level of your business.
  5. Conduct a vulnerability scan—depending on the results of your SAQ, you may need to scan your systems for vulnerabilities. You can perform this scan yourself or hire an approved scanning vendor (ASV).
  6. Submit documents—depending on which companies or banks you are working with you may need to submit proof of your efforts. This can include SAQs, AOCs, or ASV scans.
  7. Monitoring—once the above steps are complete you need to continue to monitor PCI compliance. Monitoring should capture any changes to your processes or infrastructure and ensure that PCI compliance measures are adapted as needed.

How Do I Know If I’m in PCI Compliance?

Provided you follow and complete the above steps, you should remain in compliance with PCI standards. As long as you can prove the above, via your SAQ and AOC, you are considered PCI compliant. However, not all organizations can rely on self-evaluation. If you require a higher level of validation, the following verifiers may be implemented:

  • Internal Security Assessor (ISA)—individuals who are trained to assess PCI compliance and can validate SAQs. ISAs are employed by you for in-house verification.
  • Qualified Security Assessor (QSA)—individuals employed by organizations (known as QSACs) that are dedicated to verifying PCI compliance. These are external validators and are required by organizations with high-level PCI compliance requirements.
  • Report on Compliance (ROC)—used by those who do not qualify for an SAQ. A ROC must be filled out by a QSA following an audit of your business.

What Does Non-Compliance Mean?

If you fail to meet PCI compliance there are several impacts you may face. These impacts are determined by when non-compliance is discovered, by whom, and whether failure to comply has been exploited.

PCI non-compliance fines

Vendors who fail to meet or maintain PCI compliance may be fined by industry regulators. This typically occurs if data is breached or customers experience fraudulent transactions. Fines can range from $5k to $100k a month and may continue until you achieve PCI compliance.

Suspension of credit cards

Failure to maintain compliance can result in your ability to process payments being revoked. This ability is enacted by card companies through the PCI council.

Mandatory forensic examination

If you are suspected of a breach you may be required to perform a forensic examination. This involves contracting a third-party vendor to examine your system and system data to determine whether a breach occurred and to what extent data was affected.

Customer liability

Any breaches of data can result in lawsuits claiming liability. If these suits are upheld, you may be liable for reimbursing customers for damages. Breaches or possible breaches also jeopardize customer trust and may cause you to lose business and brand reputation.

Conclusion

PCI compliance is critical for businesses that offer online purchasing, such as eCommerce stores and digital courses offered via online subscriptions. Non-compliance with PCI standards may result in mandatory forensic examination, fines ranging between $5,000 to $100,000, suspension of credit cards, and liability lawsuits.

To check if you are compliant, you can use the PCI compliance checklist in this article. Keep in mind that self-assessment and PCI compliance scans alone do not replace professional services, such as those offered by ISAs and QSAs. To ensure compliance, you might want to consider covering all seven steps in the checklist.

Lightico offers an intuitive PCI-compliant solution designed for the needs of work-from-home call center agents. While agents are on the phone with customers, they simply send them real-time payment requests through a secure mobile environment that’s shared via text message link.

Once the payment is transferred, Lightico stores audit and payment information to ensure PCI compliance and easy future reference. This mobile-optimized, agent-guided model is proven to deliver significantly higher payment conversion rates than traditional systems.

Lightico’s secure payment solution can be up-and-running within days, allowing call centers to keep their agents working from home securely.

Read This Next

reviews"Great tool to expedite customer service"

The most helpful thing about Lightico is the fast turnaround time, The upside is that you are giving your customer an easy way to respond quickly and efficiently. Lightico has cut work and waiting time as you can send customer forms via text and get them back quickly, very convenient for both parties.

"Great Service and Product"

I love the fact that I can send or request documents from a customer and it is easy to get the documents back in a secured site via text message. Our company switched from Docusign to Lightico, as Lightico is easier and more convenient than Docusign, as the customer can choose between receiving a text message or an email.