When processing customer’s payments, you are asking them to trust you with some of the most sensitive information they have. It’s essential to ensure that data is being properly secured. One of the main ways organizations can ensure data security is by complying with the Payment Card Industry Data Security Standard (PCI DSS). While PCI DSS is not government mandated, it is required by Visa, American Express, MasterCard, Discover, and JCB International before handling any amount of payment cards by these companies. So, if you process payments cards by any of these brands you’ll need to be in compliance.
The PCI DSS outlines 12 privacy-focused requirements for companies. These requirements include both operational and technical components ranging from encryption of card holder data, to regular vulnerability tests, to the development of a comprehensive Information Security Policy. You can find an overview of all 12 requirements here.
Compliance Validation for Processors
While all companies processing any amount of payment card information need to meet the 12 PCI DSS requirements, the method of validating compliance differs. Reporting requirements are based primarily on processing volume (amount of payment cards processed) and whether a company has suffered a data breach in the past. Each credit card company has slightly different reporting requirements, but in general compliance reporting breaks down as follows:
- Organizations handling large amount of transactions or who have suffered a breach will be required to have an onsite assessment completed by an external, Qualified Security Assessor (QSA).
- Organizations with smaller processing volume can instead opt-in to file a Self-Assessment Questionnaire. The specific questionnaire required depends on several variables, such as whether you are an e-commerce merchant, type of payment terminal used, and whether processing is outsourced to third-party.
- All organizations must complete quarterly network scans through an Approved Scan Vendor (ASV)
Again, you’ll need to check with specific card providers to understand your merchant level. Here are links to each brand’s validation requirements: Visa, MasterCard, American Express, Discover, JCB International.
Compliance Requirements If You Use Third-Party Processors
Using a third-party can help streamline payment processing but does not exempt organizations from PCI compliance and reporting requirements. Organizations that outsource processing are still ultimately responsible for ensuring secure processing. This requires a self-assessment questionnaire that evaluates your security posture. Typically, this would either be PCI SAQ-A or SAQ A-EP. In addition, you should vet third-party vendors before working with them, create detailed agreements with policies and procedures that outline each party’s responsibilities in maintaining compliance, as well as regularly monitor your vendor’s compliance statues. Full information on using third-party vendors can be found here.
Credit card fraud can be a devastating experience. So when a customer chooses to hand over payment information, they are putting an extreme about of trust in your organization to handle that information with care. Whether you process the information yourself, or use a third-party, at the end of the day you are responsible for ensure that your customer’s sensitive information is completely secure. PCI DSS compliance is one of the most useful tools for doing this