Payment Card Industry (PCI-DSS) Compliance – How To Guide

Working within the payment card industry I speak with Merchants daily about payment card industry compliance data security standard, herein know as PCI compliance. In almost every case the Merchants have either very little knowledge, or been given incorrect information. The purpose of this blog is to inform Merchants of the following:

1.What is PCI compliance.
2.Who needs to do PCI compliance.
3.Why Merchants need to do PCI compliance.
4.How to get PCI compliant quickly and easily.
5.October 1st, 2009 compliance directive.

I will also be debunking some common PCI myths throughout the blog.

What is PCI Compliance

PCI compliance as defined by Wiki “is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass card holder information from any card branded with the logo of one of the card brands.”

Basically all PCI compliance is is a set of business procedures that Merchants must comply with to protect the Merchant, and therefore the card schemes from a breach. A breach is where card holder details used with a Merchant are stolen to be used by criminals. Most online Merchants will need to do a Level 3 compliance which is a yearly self assessment questionnaire and a quarterly scan of your systems.

Who needs to do PCI Compliance

Basically every single Merchant who trades online will need to go through PCI compliance. Basically there is a myth that if the online shop uses a hosted payment system where the card holder information is keyed into pages hosted with the payment service provider’s (PSP) that the Merchant does not need to go through PCI compliance. This is 100% incorrect. The reason is regardless of where the data is keyed on the website each Merchant will have some form of virtual terminal where they can key in card data for things like refunds, adjustment billings, card changes etc. This information will be most likely phoned in to the Merchant who will key it into the PSP supplied virtual terminal. As this terminal although served from a central server is still displayed on the browser of the Merchants Computer. This means the Merchant should be cross shredding any card details that are written down and transmitting details via their browser to the PSPs servers. As every Merchant has to do refunds, adjustments, cancellations etc at some point every Merchant will have to do PCI.

Why Merchants Need To Do PCI Compliance

There is the obvious answer to why Merchants need to do PCI and that is because the card schemes have told Merchants they have to. My take however is slightly different. I think every Merchant should do at least a level 3 compliance because if they do not they are exposing their business to failing if they are compromised. Most of the points on the questionnaire are common sense if you know a little about security. If you do not have basic security knowledge actually doing the questionnaire might actually identify a gaping hole in your business processes. Remember that if you are compromised and you are not PCI compliant the card schemes will force your bank to either close your account, force you through a level 1 compliance, fine your business or any combination of the aforementioned.

As an example we recently helped a business who’s primary means of collecting card details was via a call center with circa 200 operators. Their process, which they had been doing for about a decade was for the sales operator to collect the card information and write it onto a processing slip. These slips where collected by a staff member constantly walking up and down the aisles. The collected processing slip where then keyed into an excel spreadsheet which was password protected but many people had access to it. The spreadsheet was monitored by other staff who would key the transactions into physical terminals. The processing slips where bagged up and thrown out. They were collected by a secure waste disposal company however where left outside at a designated spot over night in many cases.

There were so many security issues with this company it was a wonder they were never compromised. I informed their Financial Directory what could happen if they were compromised and took him through some points from the questionnaire and by the end of the day he had implemented most of the changes needed to be compliant.

The point of the example is that a decent sized hard working company by doing things the way they always had was actually very exposed. Working through the questionnaire highlighted all the possible points of a breach in their processes. It should be noted that the Merchant was not so much concerned about the possible card scheme reprisals but damage to the Company’s reputation with their consumer base if they had been compromised.

How To Get PCI Compliant Quickly and Easily

This is where most Merchants have trouble or chose not to do compliance because they are miss informed. The Merchant often contacts the first link in Google that supplies the service and are quoted hundreds or thousands of pounds to complete the process. Except for larger Merchants who need a level 2 or level 1 compliance this is simply not the case. What Merchants should be looking for is a service that offers an online application to complete the questionnaire and a system scanning service so that when you complete the questionnaire and scans they email you a PDF that contains the report. This is then mailed to the bank.

The service that Iridium Corporation recommends to all our Merchants is provider by security company Comodo and is called Hacker Guardian. Its simple and straight forward and will give you everything required to prove your PCI compliance to your acquiring bank.

October 1st, 2009 Compliance directive

As of October 1st, 2009 all level 3 & level 4 Merchants must be able to prove compliance to their acquiring banks. Merchants who fail this deadline will most likely be charged higher rates from their banks and or loss of account. There has been deadlines in the past set by card schemes for PCI compliance which have come and gone. However this time as a processor we ourselves have been informed the banks intend to meet it this time round. In fact we are seeing some banks aggressively pushing their Merchants by setting deadlines well before October 1th 2009. However some banks who have published letters to their associated processing companies have not informed their Merchants directly and in some cases there is indication they have not even told their call center staff. Every level 3 or level 4 Merchant should have no problem meeting the deadline however. The Hacker Guardian process can be completed in an afternoon.

Summary

In summary PCI compliance is not the big scary monster that it is made out to be. In fact with the right information most Merchants find it easy and actually productive to go through. Our advise to our Merchants is always the same. We ask them what the loss of business reputation would cost them with their consumer base followed by asking them if they could survive if they lost their Merchant facilities. It’s not a scare tactic but we have seen on numerous occasions what happens when it goes wrong.

Modern Retail – Survival Of The Fittest

The year 2008 saw some tumultuous economic times in many sectors. Oil hit all time record highs. Banks toppled over like one of those Guinness domino record attempt shows, and in the UK some of our longest standing retailers passed into history. The media doom and gloomers heralded times of economic whoa for all retailers as high street sales slumped and dire Christmas performances were reported nearly across the board.

Sean Brietsche from Iridium Corporation comments, “Working within the payment processing industry gives a unique vantage point from which to gauge general retail performance. Having a wide variety of Merchants ranging from local Mom & Pop shops to blue chip retail and everything in between means that we can look at a specific industry or just retail as a whole and compare data with what the media is reporting and what is actually happening. This years results were quite interesting as the trends did not follow exactly as reported in the media. This is no surprise as online retail has been gowing from strength to strength, however when everything is combined some quite interesting Darwinian premises can be put forward.”

A recent casualty of our current economic times is Empire Direct as reported by the BBC (http://news.bbc.co.uk/1/hi/england/west_yorkshire/7838656.stm ). This failing was used to further the idea of how far reaching the current economic situation is and that bad times are ahead for us all. So why have so many of the new breed of technology savvy Internet retailers experiencing great sales and strong month on month growth.

The answer is survival of the fittest. The days are ending for companies who boast their success in terms of volume of turnover and numbers of employees with fabulously expensive head offices. The bureaucracy that comes part and parcel with big business is being slowly but surely undermined by the new breed of Internet retailer.

Traditionally as a retailer grows in size and locations they need an ever increasing support backbone to maintain their retail space. Everything from warehouse space, head and regional offices, middle and upper management all cost large amounts of money. All combined this creates a natural bureaucracy which in itself hinders the company’s ability to change. This creates a huge weight that must be carried aloft by the performance of its outlets. There is a constant battle to keep enough sales to support the ever increasing weight at the top. The whole thing will come crashing down when sales, even for a brief time, fail to inject enough blood into the support legs.

So what exactly is it that is causing a decrease in high street sales and a growing increase in online sales. The primary reason is during times of economic uncertainty people naturally become more frugal with their money. People still want a shopping experience however they want the best deal for what they are buying. So they head to the high street shops where one or two retailers may have the item they are looking for. They get to touch and feel for themselves if they like the item. However the key difference is that instead of buying there and then they are going home and finding the best deal online. And this is the key difference between a traditional retailer that has failed to adapt to, for lack of a better term, a modern one.

Most online retailers have clued to the fact that if they do things right they may never have to actually touch a piece of stock. Combine that with importers and base distributors that want a piece of the end retail price, flavored with a fundamental change in how people shop then what you have is the proverbial primordial soup ready to support retail evolution. And that is exactly what we are seeing, pure survival of the fittest.

The profile of a typical modern retailer is all about automation of the traditional aspects of running a business. Stock and inventory are kept to an absolute minimum with processes in place to ensure that anything sold via a website are either immediately available from direct stocks or a drop shipper. Invoicing and collecting of funds is automated through a payment service provider with accounting and banking reconciliation all tied into a seamless process. So instead of having Leslie in accounting balancing ledgers and Jim in stock control counting widgets, all the staff within a company are actually focused on building the company and not maintaining it.

Duane Jackson from Kashflow comments, “Every second one of our clients has to spend doing books, chasing stock, or trying to get invoices paid is not only less time they can spend on building their businesses but actually has a financial overhead as a company grows. The more business transacted the more that has to be chased and at some point means hiring staff just to deal with transactions that have been completed. By working with internet payment gateways and other Service as a Software (SaaS) providers we can greatly minimize the resources a business has to spend on simply maintaining itself. With slick accounting, electronic payments, and reconciliation methods you vastly decrease the ratio of the amount of additional staff you need you to do greater amounts of business.”

As 2008 fades into history we see a story of some 27 UK high street retailers entering into various forms of insolvency. Some have been household names for generations. The ones that we will see survive are the ones that have embraced doing business in the modern way. Lean at the top and efficient throughout. The best will fill the voids of their now dead competitors. Evolution is unforgiving and only the best will flourish.