The Payment Card Industry Data Security Standard (PCI DSS) sets the standards for cardholder security when it comes to storing, processing, and transmitting card information.
PCI Compliance overview
As a merchant, you are required to meet PCI DSS standards if you process, store, or transmit credit card information. Businesses must meet 12 requirements to be compliant with PCI DSS. A self-assessment questionnaire (SAQ) must be completed to maintain compliance and categorize your business based on four levels. Merchants at levels 2-4 must complete the SAQ annually. Those merchants that are a level 1, must be validated by a Quality Security Assessor (QSA). After successfully meeting compliance, you will then complete the Attestation of Compliance (AOC) to receive your compliance certificate.
12 Requirements to be compliant with PCI DSS
- Install and maintain a firewall configuration to protect cardholder data – Control internal and external traffic to keep hackers out of sensitive card information. A firewall reviews all network traffic and blocks transmission that doesn’t meet set security conditions.
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data – protection methods include encryption, truncation, masking and hashing of cardholder information.
- Encrypt transmission of cardholder data across open, public networks – Sensitive card information must be encrypted over the transmission of wireless networks.
- Protect all systems against malware and regularly update anti-virus software or programs - Anti-virus software must be updated and current on all systems.
- Develop and maintain secure systems and applications – All systems must have software patches and/or software patches available when vulnerabilities arise.
- Restrict access to cardholder data by business need to know – cardholder information to only be accessed by authorized personnel which typically means they are only granted access if it is needed to perform a job.
- Identify and authenticate access to system components – Unique Identification (ID) to be assigned to everyone with account access.
- Restrict physical access to cardholder data – Access to data must be restricted appropriately in cases where the opportunity for individuals to access devices or data exists.
- Track and monitor all access to network resources and cardholder data - Track user activities through user logs.
- Regularly test security systems and processes – Systems and processes should be tested often to check the security.
- Maintain a policy that addresses information security for all personnel – A security policy is necessary to inform personnel and enforce protection of the sensitive data.
Why does my business need to remain PCI Compliant?
No matter if your business is large or small, it’s important to protect your business and customers. Businesses of all sizes are a target of data breaches. If your business has a security breach and is not in compliance the PCI Security Standards Council will assess fines.
Fines & Penalties
Not being compliant and experiencing a data breach is one way to incur fines, however, even if you do not have a security breach there are still consequences and penalties for failure to remain compliant. Fines, fee increases, and bank sanctions just to name a few. Your business could also be placed on watch list to prevent you from processing credit cards and you may even be subject to lawsuits.
More about the annual Self-Assessment Questionnaire (SAQ)
A self-assessment questionnaire is available on the PCI Security Standards Council website (or reach out to an Aurora specialist, we can provide you with the appropriate questionnaire). There are different types of questionnaires depending on your business type. The questionnaire itself is made up of yes/no questions to evaluate your current security procedures and whether you meet compliance standards.
How the levels are set
Your level is based on your transaction volume. Level 1 has the highest volume whereas a level 4 is a merchant with lower volume.
Level 1: required if a merchant processes 6 million+ transactions annually
Level 2: required if a merchant processes between 1 and 6 million transactions annually
Level 3: required if a merchant processes between 20,000 and 1 million transactions annually
Level 4: required if a merchant processes less than 20,000 transactions annually
Completing the AOC or Attestation of Compliance for Onsite Assessments
This form is to be completed when you have successfully finished the self-assessment and met the PCI compliance requirements. The AOC form can often be submitted through your merchant services provider on your behalf to receive your Compliance Certificate.
Helping you through PCI Compliance
At Aurora, we are here to help you get through annual PCI compliance to make it as easy as possible. You’ll receive notifications when your PCI certificate is going to expire, a link to complete the self-assessment, and additional guidance is available along the way if you need it.
Learn more about Merchant Services