PCI Compliance
Payment Card Industry DSS Compliance
Registration is quick and easy!
Once you’re signed up and approved, you’ll be able to take your questionnaire online, and 403 Labs will start scanning your systems on the date and time you set.
Your results will be sent to you via email with instructions for reviewing your report.
PCI compliance — also known as PCI DSS compliance
— is a necessary part of doing business for every merchant who accepts credit cards, debit cards and EBTs (electronic benefit transfers). Knowing what PCI compliance is and how to achieve it is vital to the future of your business on a number of different levels.
At MSW Card, we understand the ins and outs of PCI security compliance and are ready to help with services to help you sort it all out.
On the surface, mandatory PCI compliance may seem complicated, even burdensome or intrusive on the way you run your business. But think of it this way: PCI compliance equates with security for both you and your customers. Isn’t a little effort and diligence on your part a small price to pay for peace of mind when your livelihood is at stake?
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide compliance requirement created for anyone who stores, processes or transmits payment card data (such as accepting credit card payments).
The PCI DSS was created in collaboration with the different payment card brands: American Express, Discover, JCB, MasterCard and Visa. The requirements are designed to reduce payment card compromises and data theft by helping you secure your sensitive information and reduce your vulnerability to attacks.
PCI compliance is adherence to PCI DSS, the acronym for Payment Card Industry Data Security Standards, which are administered by the Payment Card Industry Security Standards Council (PCI SSC). This independent group was established in 2006 by the five major payment card brands — Visa, MasterCard, Discover, American Express and JCB — to manage security standards for electronic transactions. Those standards and additional information about the PCI SSC can found on the organization’s website.
Although the PCI Security Standards Council does not impose consequences for non-compliance with its data security standards, the individual payment brands can and do impose fines and/or operational sanctions that could be disastrous for your bottom line and your reputation with acquirers, payment brands and customers. Additionally, several states already have PCI compliance laws on their books, and more are expected to follow.
The comprehensive operational and technical requirements laid out in the PCI DSS establish consistent measures for data security management, policies and procedures, network architecture and software design. Businesses and merchants are required to process, store and transmit payment cardholder data in compliance with these requirements so that it is kept private and secure. (Cardholder data is defined as any personally identifiable information associated with a cardholder including an account number, expiration date, name, address and Social Security number.)
Since online transaction and credit card fraud continue to be major threats to businesses, PCI compliance is crucial. That’s why it’s required of all entities with a Merchant ID (MID), from the largest Big Box stores to the smallest Mom and Pop shops and everything in between. Additionally, all “players” in the credit card payment chain must be PCI compliant, including payment service providers, banks and hosting providers.
It’s important to realize that PCI compliance is an ongoing process, not a one-time event in your business life. Consider it a series of common sense, “best practices” steps that all merchants should follow as part of their corporate security strategy.
What are my requirements?
As a merchant who stores, processes or transmits payment card data, you are required to be PCI DSS compliant by the payment brands and your merchant bank. To achieve PCI DSS compliance, you need to complete:
- An annual Self-Assessment Questionnaire (SAQ) to determine if you are taking the proper precautions to protect your payment card data, similar to an insurance questionnaire, and
- Quarterly security scans if your systems are connected to the Internet. The scans look for weaknesses that an attacker might use to access your systems. A PCI-certified Approved Scanning Vendor (ASV), such as 403 Labs, must conduct these scans.
Failure to comply with the PCI DSS can result in data breaches and fines. You may also lose the ability to accept payment cards.
Understanding the basis for PCI DSS will go a long way towards dispelling any concerns you may have about the process. Fundamentally, PCI DSS establishes six basic principles based on twelve core requirements (think of them as the “Digital Dozen”):
I. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
II. Protect Cardholder Data
1. Protect cardholder data.
2. Encrypt transmission of cardholder data across open, public networks.
III. Maintain a Vulnerability Management Program
1. Use and regularly update anti-virus software.
2. Develop and maintain secure systems and applications.
IV. Implement Strong Access Control Measures
1. Restrict access to cardholder data by business need-to-know.
2. Assign a unique ID to each person with computer access.
3. Restrict physical access to cardholder data.
V. Regularly Monitor and Test Networks
1. Track and monitor all access to network resources and cardholder data.
2. Regularly test security systems and processes.
VI. Maintain an Information Security Policy
1. Establish and maintain a policy to address information security.
The Four Levels of PCI Compliance
There are four levels of PCI compliance; your level depends on the number of electronic transactions you process each year.
Level 4
Small businesses — those processing less than 20,000 eCommerce transactions and less than 1 million other transactions annually — fall into this category. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ).
Level 3
Mid-sized companies generating between 20,000 and 1 million transactions annually require an annual risk assessment using the appropriate SAQ.
Level 2
Companies at this level handle between 1 million and 6 million transactions annually. A PCI SAQ must be completed each year.
Level 1
“Big Box” stores and other major corporations with a minimum of 6 million transactions per year must conduct an annual internal audit with a qualified PCI auditor.
Quarterly PCI scans, administered by an approved scanning vendor, may also be required for businesses at all four levels.
Whatever your level, MSW Card®’s TransAction Central™ can reduce your PCI burden and help you achieve and maintain compliance by enabling you to easily accept payments with maximum security. This web-based payment gateway’s secure processing platform is fully PCI compliant and ideally suited for merchants of all sizes.
TransAction Central’s features and services are designed to meet your unique needs and expectations. For example, through its Tokenization service, TransAction Central’s hosted payment page eliminates the need to store card data altogether by sending back only minimal information such as transaction and reference IDs and an authorization code.
PCI Compliance Means Security
By fully complying with PCI DSS, you significantly decrease your risk of electronic data fraud that could seriously jeopardize or damage your business brand, reputation and finances. Just one data breach can cause a cascade of lost sales, cancelled accounts, destruction of business and community relationships, high-stakes lawsuits, insurance claims, and expensive fines and sanctions by individual payment brands.
As a merchant, you know that doing business is based on trust between you and your customers. Consumers who believe their sensitive credit or debit card information is safe with you are more likely to return and to refer other business your way. PCI compliance helps establish that important level of trust and feeling of security.
Final Thoughts on PCI Compliance
Compromised electronic data negatively affects everyone involved: merchants, consumers and financial institutions. By achieving PCI compliance, you’re taking responsibility for keeping the data entrusted to you safe from fraudsters and thieves.
The protective measures outlined in PCI DSS are an investment in the global battle against electronic fraud. PCI compliance ensures safeguarded payment card data with every transaction. Isn’t that what you and your customers expect?
When you’re ready to achieve and maintain PCI compliance, MSW Card can help. Let one of our representatives answer your questions and set you on the TransAction Central path to PCI DSS compliance.
Why is MSW Card using PCI Compliance?
In an effort to assist you with your compliance efforts, MSW Card has partnered with PCI Compliance, LLC, a company specializing in merchant compliance. PCI Compliance, LLC works with merchants to help them overcome their individual hurdles and achieve PCI DSS compliance.
To help facilitate PCI DSS compliance, PCI Compliance, LLC has teamed with 403 Labs to offer a fully-automated Internet testing service that enables you to assess the security of your Internet connection and devices. This service includes an easy-to-use online Self-Assessment Questionnaire that guides you through your payment card environment and processes, as well as a vulnerability scanning engine that performs over 37,000 different security tests on your computer systems.
MSW Card has partnered with PCI Compliance to offer PCI Compliance’s services to our merchants at a significantly reduced cost.