PCI compliance, also commonly known to merchants and retailers as PCI DSS compliance, is a security standard applicable to every business or organization that processes, stores or transmits credit cardholder information. This includes everything from Visa to Mastercard and many more. “PCI DSS” stands for Payment Card Industry Data Security Standard.
PCI compliance was first set up and designed in 2004. This was when the different credit card companies banded together to form the Payment Card Industry Security Standards Council, or PCI SSC, in an effort to set standards for security and ultimately protect customers’ payment data from getting into the wrong hands. It is important to note that the council’s guidelines are constantly being updated as hackers find new ways to gain access to retailer networks and cybersecurity standards and technologies evolve. Below are three common questions businesses might have, regarding PCI compliance.
My business needs to store credit card data. What methods can we utilize?
A: Recurring billing is the primary reason the majority of retailers need to store credit card data. The recommended way to store this data is by using a third-party credit card vault and tokenization provider. With a vault, the card data is removed, and you get a “token” that can be used for recurring billing. By using a third party, you move the risk to a company that specializes in the field and has all of the security controls in place to keep the card data safe.
If you store the card data yourself, your bar for self-assessment is very high and we recommend having a security assessor come onsite and perform an review. IronEdge can help your organization stay up-to-date with the latest security standards, data privacy regulations and risk frameworks.
What is defined as ‘cardholder data’?
A: The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
• Cardholder name
• Expiration date
• Service code
Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.
What are the penalties for non-compliance?
A: Acquiring banks could be fined $5,000 to $100,000 per month for PCI compliance violations. They will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to understand your merchant account agreement.