Getting PCI compliance for your business
How to apply for and stay PCI DSS compliant
If your business accepts card payments it's important to have a robust security platform to protect your customers. The card payments industry saw a rise in card payment fraud and developed the Payment Card Industry Data Security Standard (PCI DSS) to improve card payment security.
Launched in 2006, PCI DSS applies to all companies that process, store or transmit payment card information. If your business accepts payments from MasterCard, Visa, American Express, Discover or JCB, your business must be fully PCI DSS compliant.
Why should small businesses use the PCI DSS system? The PCI DSS system is administered by the PCI Security Standards Council that is an independent body created by the major credit card issuers that advises:
- Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information.
- Trust means your customers have confidence in doing business with you.
- Confident customers are more likely to be repeat customers, and to recommend you to others.
- Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future.
The PCI Security Standards Council says: "You've worked hard to build your business – make sure you secure your success by securing your customers' payment card data. Your customers depend on you to keep their information safe – repay their trust with compliance to the PCI Security Standards."
If your business doesn't support PCI DSS, the PCI Security Standards Council warns:
- Compromised data negatively affects consumers, merchants, and financial institutions.
- Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future.
- Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company.
- Possible negative consequences also include: lawsuits, insurance claims, cancelled accounts, payment card issuer fines and Government fines.
The PCI DSS compliance process
Most businesses will fall into the Merchant Level 4 category, which is defined as processing fewer than 20,000 Visa transactions per year.
You can ensure your business is fully compliant by following these steps:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
- Identify which Validation Type your business should use under PCI DSS. This will determine which Self Assessment Questionnaire (SAQ) your business will have to complete.
- Once the Self Assessment Questionnaire is completed you will need to show evidence that your business has passed vulnerability scanning by one of the PCI SSC Approved Scanning Vendors. This is required by businesses in the Level 4 category that have a customer facing website, as all e-commerce businesses will have. A full list of approved scanning vendors is on the PCI Security Standards Council website:
- Complete the Attestation of Compliance, which is located in the SAQ tool. More information is on the PCI Security Standards Council website:
- Submit your SAQ and evidence that your business has passed vulnerability scanning and any additional documentation that your acquirer has requested. Your acquirer will be the company that handles your payment card processing.
It is important to understand that having a security system on your website – usually SSL (Secure Sockets Layer) – does not mean your business is PCI DSS compliant as the two security systems are different. SSL provides visitors to your website with a layer of security that encrypts information that passes between their computer and your business' servers.
This does include any credit or debit card information they enter into your business' checkout system, but does not protect the payment being made. This is where PCI DSS compliance comes in. Your business should ensure it has a valid SSL certificate from one of the leading vendors such as Thawte or VeriSign and has current compliance with PCI DSS as well.
For smaller businesses gaining full PCI DSS compliance can seem quite daunting. Luckily there are a number of companies that offer compliance services and tools your business can use to make the whole process much easier.
One tool is QualysGuard PCI Compliance. The cloud-based system offers a streamlined process that also provides the assurance that your network is highly secure. The QualysGuard PCI web application walks you through the PCI compliance process with its easy to follow step by step approach and compliance tips.
After your business has obtained its SSL certificate and also fully complied with PCI DSS your business should still be vigilant about card-based fraud. As more security initiatives have been developed like PCI DSS and Chip & PIN, the incidents of card fraud have reduce but your business should have a detailed knowledge of what action to take if you suspect a fraud has taken place. Visa has a handy document 'What to do if your site is compromised' that looks closely at the types of card fraud to watch out for and what to do if you think a card fraud has taken place. If your business is not PCI DSS compliant yet, put this on the top of your agenda.