Lesson 6: PCI Compliance

As the electronic payments industry continues to grow, the risk of security breaches increases.  PCI Compliance is aimed at fighting the risk.  In this lesson, you will learn all about compliance and what it means to your business.  We will explain the various levels of compliance and provide some tips on what to look for and what to avoid when choosing a merchant account provider.

Target, Neiman Marcus and TJ Maxx all have one thing in common.  They have been involved in major data breaches resulting in millions of credit card numbers being placed in the hands of thieves.  In each of these breaches the companies were PCI compliant, at the time of the breach.  Yes, all of these companies were up to date on their compliance!   Now I bet you’re thinking, if they were PCI compliant and still managed to let the thieves into the system, that PCI compliance must be a joke, right?  In the words of Slimy Sam, “It’s complicated.”

What is PCI?

PCI compliance is a set of standards and guidelines that outline the best practices when it comes to securing and transmitting payment information throughout the networks.  PCI compliance can be as simple as completing a self-assessment questionnaire (SAQ) with the right answers about your business.  The merchant did nothing to become compliant instead they knew the correct answers to put in the survey to “pass” the test.  Often, these “right” answers are given to the merchant from their merchant account provider.  This results in a false sense of security for the merchant since they “passed” and are certified compliant.

For large merchants and service providers, this process does become a much more intrinsic process.  There is an actual physical assessment of the entire network and a procedural process that takes place.  These companies will hire a QSA (qualified security assessor) to come on site and perform an audit.  They work with the merchant on a ROC (report on compliance) and once complete submit it to the card brands for approval.  They also must run quarterly network scans against their network to ensure all systems are appropriately patched and secure.

Which PCI Level Does Your Business Fall Under?


Let Us Slice Your Fees!

Validation Requirements

  • Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company
  • The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification
  • Quarterly network scan by Approved Scan Vendor (“ASV”) Attestation of Compliance Form

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form

  • Annual SAQ recommended
  • Quarterly network scan by ASV if applicable
  • Compliance validation requirements set by merchant bank

The Big Take

As you’ve learned in the previous lessons, a credit card transaction often has to pass through several systems before settling in its final location.  The more “stops” that it has to make, the greater the PCI scope.  Target, for example, has a very extensive network consisting of 20-30 checkout lanes processing millions of dollars aTarget-logo day. That alone requires a substantial investment in PCI compliance.  Multiply that by the 1800 stores and a highly trafficked ecommerce site, and you end up with a huge “target” to would-be credit card thieves.

Since the reward is so great to the thieves, they will spend months relentlessly looking for ways to hack the system and steal this information.  In Target’s case, the hacker got in and stole the credentials from a Target vendor who had access to the sensitive information.  Once inside the system, the hacker placed a piece of malicious code (malware) into the system.  The malware then inserted itself into the Point of Sale systems across Target’s network.

The malware was designed to run silently and allowed every transaction to process as normal while simultaneously making a carbon copy of the information passing through.  No one was the wiser, it seemed business as usual.  Which is also why it took so long for the intrusion to be noticed.  There are reports that the Target IT team received system wide alerts of malware on the network weeks before “the big take” but after a short investigation they decided there was no threat.  It wasn’t until the hackers starting moving the millions of card numbers off of Target’s network to a server farm in Russia, that the breach was noticed, by the FBI.  Of course, by this time it was too late and the damage had already been done.

tjmaxxThe TJ Maxx data breach in 2007, in which an estimated 49 million credit card numbers were stolen was caused by a lack of security in the wireless technology they were using to send the transactions from the POS system at the front of stores to the transaction servers in the back.  Heartland Payments had over 100 million credit card numbers stolen in 2009 resulting from an actual thumb drive running malware that was placed on one of Heartland’s transaction servers for an extended period of time.  This thumb drive slipped passed the entire IT team at Heartland for several months.  It was actually Visa’s fraud team who noticed a similarity in huge blocks of fraudulent transactions across its network and linked them back to Heartland’s system.  Through all of these major breaches, every company has performed the PCI audit process and was certified compliant at the time of the intrusions.

The Case for Compliance

Simply being PCI compliant isn’t a guarantee that your systems won’t be hacked, in fact it offers no guarantee whatsoever.  What compliance does offer is a series of procedures and best practices for the industry to implement.  If you process credit card transactions, you will always be at risk to these thieves.  In the case for the large breaches, through class action lawsuits and the like, penalties are steep. Heartland Payments, for example, has paid out over $140 million in breach related expenses.  Target will probably be looking at $60-75 million in payouts.  It’s simply not worth the risk to accept credit card transactions without taking PCI compliance seriously.

For smaller merchants, the process is easier than for larger ones.  Regardless of the size of your business, you need to stay on top of your procedures and policies as they relate to credit cards and the storing and transmitting of sensitive information.  We recommend taking the time to truly understand the questions on the self-assessment questionnaire.  If you don’t understand a question, then don’t be afraid to ask for help.  A lot of merchant account providers are using PCI firms to administer compliance for their merchants.  Find out who they are using and give them a call.  Make sure you understand your own system and how it is handling the transactions.

If you are using software to accept credit card transactions make sure that the software itself is compliant.  You can check the compliance status of any company on Visa’s website.  If the company in question isn’t listed on this site and they say they are compliant, ask them for their certificate of compliance.  Take an inventory of the systems that you are using and make a simple chart highlighting the path that a transaction will take.  For example, an average sized clothing retailer will have a point of sale at the counter that is connected to a POS software, the software uses Authorize.net as a gateway to connect to First Data for processing.  This is what the simple chart might look like:

In the above scenario you would be able to check off First Data, Authorize.net and the POS software as being compliant (Remember you can verify a providers compliance status on Visa’s website).  Now the only part that you need to worry about is how the data is entering into the POS software.  Since the POS software is installed on a computer that is by nature not PCI compliant this creates your highest potential risk.  You will need to make sure that all of the proper security is enabled on your internal network (LAN) and that a firewall is in place.  Regardless of the size of merchant an external PCI scan should be completed quarterly to ensure compliance when using this type of setup.

What merchants don’t often realize is that new security holes are created frequently.  Just because your system passed a security scan last week doesn’t mean that it is still compliant this week.  You need to make sure that your IT team keeps all of your systems current on security patches and updates.   This is your best defense against hackers.

The Bottom Line

Credit Card fraud is big business, and if you have a merchant account, you are exposed to being a victim of the fraudsters.  Take the appropriate steps to ensure that you have the proper procedures and protocols in place on the actual system as well as the proper training for your staff.  Make sure that your entire staff understands the do’s and don’ts of handling credit cards and sensitive information.

———————- Slimy Fee Alert———————-

If you have a merchant account today, there’s a very high chance that you are already paying a PCI compliance fee.  These fees range from $69-$199 a year and often provide little to no value to the merchant.  Ask your merchant account provider what the fee covers and what programs they have in place for you to take advantage of.  Since you are already (willingly or unwillingly) paying this fee find out what it means for you as a merchant.  If they are unable to explain any details of the program, simply ask that they refund the fee and begin looking for a new merchant account provider as this means it is merely a “money grab” opportunity for them.  Don’t be shy because most of the companies will gladly refund the fee with no questions asked, a telltale sign that it is simply a revenue center for them.

———————————————————-

Some programs offered by merchant account providers can be very rewarding and offer a great wealth of online tools to assist in the education and fulfillment of PCI compliance.  Take advantage of these programs!  Not only are they a great resource, but they are also a service that you are paying for.

If after all of this you have decided not to become PCI compliant, be warned that you will start receiving a monthly “non-compliance” fee that starts at $19.99/mo.  This fee is in place to help “motivate” you to become compliant.  This fee can also be a revenue opportunity for the merchant account provider (that’s right the industry has a fee for everything).

The bottom line is to make sure that you are compliant and that your merchant account provider has your compliance on record!  Stop paying a PCI compliance fee for your merchant account if you are getting nothing in return and be proactive in securing your transactions.  If a breach occurs, no one is to blame but you and you will find yourself standing on an island watching the POS software company, gateway and processor waving goodbye as they sail away.

Three Steps for Compliance

Identify all technology and process vulnerabilities that pose risk to the security of the cardholder data that is transmitted, processed or stored by your business. Validate the compliance status of all 3rd parties involved in the transaction process. Determine your merchant level, hire a QSA (if appropriate) or complete the Self-Assessment Questionnaire.

Remediation is the process of fixing vulnerabilities- including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Scan your network with software tools that analyze infrastructure and spot known vulnerabilities. Review and remediation of vulnerabilities found in the on-site assessment (if applicable) or through the Self-Assessment Questionnaire process.

Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that you do business with. All merchants and processors must submit a quarterly scan report, which must be completed by PCI approved scanning company. Businesses with large flows must do an annual on-site assessment completed by a PCI approved QSA and submit the findings to each acquirer. Talk to your merchant account provider for more details.

  • 1. Assess
  • 2. Remediate
  • 3. Report