Payment Card Industry (PCI-DSS) Compliance – How To Guide

Working within the payment card industry I speak with Merchants daily about payment card industry compliance data security standard, herein know as PCI compliance. In almost every case the Merchants have either very little knowledge, or been given incorrect information. The purpose of this blog is to inform Merchants of the following:

1.What is PCI compliance.
2.Who needs to do PCI compliance.
3.Why Merchants need to do PCI compliance.
4.How to get PCI compliant quickly and easily.
5.October 1st, 2009 compliance directive.

I will also be debunking some common PCI myths throughout the blog.

What is PCI Compliance

PCI compliance as defined by Wiki “is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass card holder information from any card branded with the logo of one of the card brands.”

Basically all PCI compliance is is a set of business procedures that Merchants must comply with to protect the Merchant, and therefore the card schemes from a breach. A breach is where card holder details used with a Merchant are stolen to be used by criminals. Most online Merchants will need to do a Level 3 compliance which is a yearly self assessment questionnaire and a quarterly scan of your systems.

Who needs to do PCI Compliance

Basically every single Merchant who trades online will need to go through PCI compliance. Basically there is a myth that if the online shop uses a hosted payment system where the card holder information is keyed into pages hosted with the payment service provider’s (PSP) that the Merchant does not need to go through PCI compliance. This is 100% incorrect. The reason is regardless of where the data is keyed on the website each Merchant will have some form of virtual terminal where they can key in card data for things like refunds, adjustment billings, card changes etc. This information will be most likely phoned in to the Merchant who will key it into the PSP supplied virtual terminal. As this terminal although served from a central server is still displayed on the browser of the Merchants Computer. This means the Merchant should be cross shredding any card details that are written down and transmitting details via their browser to the PSPs servers. As every Merchant has to do refunds, adjustments, cancellations etc at some point every Merchant will have to do PCI.

Why Merchants Need To Do PCI Compliance

There is the obvious answer to why Merchants need to do PCI and that is because the card schemes have told Merchants they have to. My take however is slightly different. I think every Merchant should do at least a level 3 compliance because if they do not they are exposing their business to failing if they are compromised. Most of the points on the questionnaire are common sense if you know a little about security. If you do not have basic security knowledge actually doing the questionnaire might actually identify a gaping hole in your business processes. Remember that if you are compromised and you are not PCI compliant the card schemes will force your bank to either close your account, force you through a level 1 compliance, fine your business or any combination of the aforementioned.

As an example we recently helped a business who’s primary means of collecting card details was via a call center with circa 200 operators. Their process, which they had been doing for about a decade was for the sales operator to collect the card information and write it onto a processing slip. These slips where collected by a staff member constantly walking up and down the aisles. The collected processing slip where then keyed into an excel spreadsheet which was password protected but many people had access to it. The spreadsheet was monitored by other staff who would key the transactions into physical terminals. The processing slips where bagged up and thrown out. They were collected by a secure waste disposal company however where left outside at a designated spot over night in many cases.

There were so many security issues with this company it was a wonder they were never compromised. I informed their Financial Directory what could happen if they were compromised and took him through some points from the questionnaire and by the end of the day he had implemented most of the changes needed to be compliant.

The point of the example is that a decent sized hard working company by doing things the way they always had was actually very exposed. Working through the questionnaire highlighted all the possible points of a breach in their processes. It should be noted that the Merchant was not so much concerned about the possible card scheme reprisals but damage to the Company’s reputation with their consumer base if they had been compromised.

How To Get PCI Compliant Quickly and Easily

This is where most Merchants have trouble or chose not to do compliance because they are miss informed. The Merchant often contacts the first link in Google that supplies the service and are quoted hundreds or thousands of pounds to complete the process. Except for larger Merchants who need a level 2 or level 1 compliance this is simply not the case. What Merchants should be looking for is a service that offers an online application to complete the questionnaire and a system scanning service so that when you complete the questionnaire and scans they email you a PDF that contains the report. This is then mailed to the bank.

The service that Iridium Corporation recommends to all our Merchants is provider by security company Comodo and is called Hacker Guardian. Its simple and straight forward and will give you everything required to prove your PCI compliance to your acquiring bank.

October 1st, 2009 Compliance directive

As of October 1st, 2009 all level 3 & level 4 Merchants must be able to prove compliance to their acquiring banks. Merchants who fail this deadline will most likely be charged higher rates from their banks and or loss of account. There has been deadlines in the past set by card schemes for PCI compliance which have come and gone. However this time as a processor we ourselves have been informed the banks intend to meet it this time round. In fact we are seeing some banks aggressively pushing their Merchants by setting deadlines well before October 1th 2009. However some banks who have published letters to their associated processing companies have not informed their Merchants directly and in some cases there is indication they have not even told their call center staff. Every level 3 or level 4 Merchant should have no problem meeting the deadline however. The Hacker Guardian process can be completed in an afternoon.

Summary

In summary PCI compliance is not the big scary monster that it is made out to be. In fact with the right information most Merchants find it easy and actually productive to go through. Our advise to our Merchants is always the same. We ask them what the loss of business reputation would cost them with their consumer base followed by asking them if they could survive if they lost their Merchant facilities. It’s not a scare tactic but we have seen on numerous occasions what happens when it goes wrong.