Payment Card Industry (PCI) Compliance: An introduction

Introduction

Card transactions generate tonnes of data.  From transaction details such as the payment method used and amount paid, to Personal Identifiable Information (PII) such as full names and card details, this data must be stored somewhere safe. 

Attempts at credit card fraud can be highly sophisticated - the inability to prevent such attacks due to poor card payment security could result in breach of customer trust and financial losses for the business, as well as inadvertently enabling criminal activity. Recent statistics show an encouraging 19.5% drop in credit card fraud and every business that accepts cards has a role to play in advancing the responsibility of responsible commerce by ensuring that their own data practices are adequate and they’re doing everything they can to ensure customer payment data is secure.

In 2006, Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC), setting out rules and guidelines designed to keep card payments secure. The guidelines ensure all businesses that handle consumer credit card data play by the same rules and are up to speed with the requirements involved to keep this data safe. With this goal in mind the PCI Data Security Standards (PCI DSS) were created to protect consumers, banks and businesses from being exposed to potential critical data breaches.

The ins and outs of PCI compliance can be daunting, particularly given the abundance of day-to-day priorities and business-as-usual. Below is a summary on the PCI DSS which provides a headline overview on the topic as your business works through how to manage its PCI requirements. 
This summary should only serve as an introduction and does not constitute professional or financial advice. It therefore should not be acted upon without seeking professional advice. The full requirements which get updated frequently can be found on the PCI SSC website.



Why is PCI DSS needed?

To understand why there’s a need for the PCI DSS, it’s important to consider the landscape into which it came to be. When the PCI standard was developed in 2006, the evolution of the internet as a commercial tool and the ability of accepting online payments represented an opportunity for businesses and convenience for customers, making everyone’s lives easier. 

It also brought with it security concerns. Providing credit card details online left customers exposed and provided a business challenge to ensure data security. Inevitably, incidences of data theft increased significantly, leading to the establishment of the PCI SSC in 2006 mandated to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals”.

It is crucial to understand that while the Council is charged with setting the standards and requirements for businesses to follow, PCI compliance is ultimately the responsibility of the merchant and the payment brands, not the PCI SSC.


Who is responsible for maintaining PCI compliance?

Every business involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS) as is required based on their size and level of involvement.

PCI DSS exists to make sure all businesses treat the handling of payment data the same way - online, in-store, or over the phone or in writing - keeping payments secure and data safe. By doing so you’re keeping your customers safe and maintaining trust.


What areas does PCI DSS compliance include?

For ease of clarity PCI DSS compliance can be broken down into three main areas.


PCI DSS Compliance Area

Meaning

Handling
Is customer credit card data collected and transmitted securely?
Storing
Is stored cardholder data protected?
Validating
Are appropriate security controls in place?


Handling payments data

Depending on your business, it may be necessary to directly handle credit card data when accepting payments, which means you will need to comply with PCI DSS to ensure this data is kept safe and handled appropriately. 
How businesses handle payment data varies depending on the business itself, but as a general rule, if a business doesn’t have to handle customer payment data, it shouldn’t. 

Third-party integrations such as Assembly’s ready made drop-in UI are available to allow card data to be handled safely, reducing the risk and complexity that comes with doing this yourself. PCI compliance is a collective responsibility and applies to both your business and Assembly. Your business is still required to comply with PCI DSS, however using Assembly’s drop-in UI, facilitates your business with the easiest level of PCI DSS, SAQ A.


Storing data securely creates an added layer of complexity

If a business is required to store credit card data, it will need to define the scope of the cardholder data environment (CDE) where sensitive information is stored, and take specific steps to protect this. 

It makes sense then that, wherever possible, businesses should keep this storage to only the essentials - effectively creating a CDE that’s as small as possible. Every security requirement within the PCI DSS applies to the CDE, so ensuring this payment data is separate from the rest of the business is important, lest you find yourself having to apply the PCI security controls to every system and device in the business.


PCI validation frequency

Every year, ALL businesses that accept card payments are required to complete a PCI DSS assessment of their security controls, procedures and policies. This validation process varies from business to business, but will generally include a Self-Assessment Questionnaire (SAQ) completion - a self-validation tool to assess security for cardholder data.

This checklist includes some of the actions required to keep card payment data safe and secure.

Purpose

Actions required

Build and maintain a secure network 
𝤿 Install and maintain a firewall configuration to protect customer data

𝤿 Don’t use vendor-supplied default passwords or other security parameters
Keep cardholder data secure
𝤿 Protect stored cardholder data

𝤿 Encrypt transmission of cardholder data and sensitive information across open public networks
Maintain a vulnerability management program 
𝤿 Use and regularly update anti-virus software

𝤿 Develop and maintain secure systems and applications
Implement strong access control measures 
𝤿 Restrict access to cardholder data to required business needs

𝤿 Assign a unique ID to each person with computer access

𝤿 Restrict physical access to cardholder data
Regularly monitor and test networks 
𝤿 Track and monitor all access to network resources and cardholder data

𝤿 Regularly test security systems and processes
Formalise the requirements
𝤿 Maintain a policy that addresses information security


How can you ensure that  your business is PCI compliant? 

Understand your business’ compliance requirements
Although Assembly processes credit card data on your behalf, you still have an obligation to be PCI compliant.

The PCI Security Council provides guidelines on the required compliance levels. 

PCI sets out different levels for merchants in order to assess their fraud risk and decide on the appropriate security level for their business, as well as the amount of assessment and security validation needed to pass PCI DSS assessment. In order to ensure you’re compliant with PCI requirements it’s important to know where your business sits within this framework. 

There are four different levels, which are broken up largely by the volume of credit card transactions your business churns through every year (although other factors may come into play depending on your security history). 

The following are the four levels of PCI compliance:

Merchant Level

You're in this camp if your business is:

Requirements

Level 1
- Processes more than six million transactions in a year;
- Has been the victim of a data breach where account data was compromised; and
- Has previously been identified by any card company as merchant level 1.
- Participate in an on-site security assessment by a PCI SSC-accredited Qualified Security Assessor (QSA) every year;
- Conduct six-monthly penetration testing via an Approved Scan Vendor (ASV); and
- Complete an attestation of compliance form.
Level 2
- Processes between 1,000,000-6,000,000 transactions annually, across all channels
- Complete a Self-Assessment Questionnaire (SAQ) every year;
- Undergo annual penetration testing via an Approved Scan Vendor (ASV); and
- Complete an attestation of compliance form.
Level 3
- Processes between 20,000 and 1,000,000 ecommerce transactions per year.
- Complete a Self-Assessment Questionnaire (SAQ) every year;
- Undergo annual penetration testing via an Approved Scan Vendor (ASV); and
- Complete an attestation of compliance form.
Level 4
- 20,000 ecommerce transactions per year; or
- 1,000,000 non-ecommerce transactions annually.
- Complete a Self-Assessment Questionnaire (SAQ) every year;
- Undergo annual penetration testing via an Approved Scan Vendor (ASV); and
- Complete an attestation of compliance form.


As part of the PCI DSS, businesses are required to complete a Self-Assessment Questionnaire (SAQ) - a checklist created by the PCI SSC to simplify the process for businesses to check their PCI compliance - and there are different SAQ types depending on your payment integration method (outlined in the table below). Your business will have to complete this SAQ in order to formally achieve a level of PCI compliance. 

The SAQ is made up of a series of yes/no questions related to each PCI requirement. If you answer ‘no’ to any questions, you’ll be required to provide details and dates related to resolving this compliance issue.

There are a range of different SAQs available. The one you complete will depend on the type of business and your merchant level.


SAQ

Description

A
Ecommerce website (third party)
- Fully outsourced card acceptance & processing
- Merchant website provides an iframe or URL that redirects a consumer to a third-party payment processor
- Merchant cannot impact the security of the payment transaction
A-EP
Ecommerce website (direct post)
- Merchant website accepts payment using direct post or transparent redirect service
B
Processes cards via:
- Analog phone, fax, or stand-alone terminal
- Cellular phone (voice), or stand-alone terminal
- Knuckle buster/imprint machine
B-IP
Processes cards via:
- Internet-based stand-alone terminal isolated from other devices on the network
C-VT
Processes cards:
- One at a time via keyboard into a virtual terminal
- On an isolated network at one location
- No swipe device
C
Payment application systems connected to the internet
- Virtual terminal (not C-VT eligible)
- IP terminal (not B-IP eligible)
- Mobile device with a card-processing application or swipe device
- View or handle cardholder data via the internet
- POS with tokenisation
D
Ecommerce website
- Merchant website accepts payment and does not use a direct post or transparent redirect service

Electronic storage of card data
- POS system not utilising tokenisation or P2PE
- Merchant stores card data electronically
P2PE
Point-to-point encryption
- Validated PCI P2PE hardware payment terminal solution only
- Merchant specifies they qualify for the P2PE questionnaire


If you’re still unsure about which self-assessment questionnaire is applicable to you, see the guidelines under “Which SAQ Best Applies to My Environment?” here.


Where can businesses access further advice?

Assembly does not provide advice regarding PCI compliance requirements - it is your sole responsibility as a business owner that accepts card payments to seek your own independent QSA advice.

If you need clarity, guidance, or advice in relation to your PCI requirements, you must engage a Qualified Security Assessor (QSA) who can help you understand and fulfil your requirements. You or your organisation can then work through an internal assessment, with the help of a QSA, to attain compliance. 


Monitor your compliance

PCI compliance is not something you only need to think about once a year - it should constantly be top of mind to ensure your level of compliance remains up to date at all times.

Depending on your credit card partner, you may be asked to submit regular reports or assessments to demonstrate that you’re on top of your card payment security responsibilities so it’s best to be on the front foot with your checks. You must also ensure you keep your six-monthly updated SAQ on record and have it available to present when it is requested by your payment services provider.


What non-compliance means for your business

Ok, so all this talk about PCI and compliance and SAQs is enough to make anyone’s head spin, we know. But while it can seem overwhelming and, let’s face it, dry, the importance of implementing healthy security and compliance measures for your business can’t be overstated.

PCI compliance is critical to ensure you keep your customers safe and protect your business from exposure to data breaches. If your business doesn’t comply with PCI standards, you’re risking data breaches, fines, audits, and other unforeseen costs, not to mention potentially unrecoverable brand damage which can only result in loss of business. 

Such penalties can be catastrophic for businesses. For example, if your company violates PCI-compliance standards, you may be subject to fines from the credit card company associated with the breach and/or a damaged relationship that affects your agreement.



Assembly drop-in UI can count towards a part of your PCI compliance 

It is your sole responsibility to establish your own PCI compliance - this is not something that Assembly Payments can do on your behalf. 

We take data security seriously and have been audited by a PCI-certified auditor, achieving the highest level of certification - PCI Service Provider Level 1. It’s important to remember though that this doesn’t mean your platform automatically receives the same certification just by partnering with us.

If you are looking for card payment integration into your platform, with Assembly, you can accept all major credit cards with a ready made drop-in UI which reduces the cost and effort which comes with building your own one. 

With our ready-made drop-in UI solution, capturing credit card details - on your website or mobile application - through the Assembly platform is a straightforward task. You can rest assured that your system will remain well encrypted and you also won't require a self-attestation questionnaire to be completed.



The final word - PCI is your responsibility

PCI compliance is something that should always be top of mind in your business. It’s crucial that you remain vigilant and in control of all the ways in which you’re required to comply in order to keep card payment data secure. It’s good practice to check in with these requirements regularly, particularly if your business undergoes any changes, so that you can always be on the front foot. 

It’s important to remember as well that while complying with the PCI DSS guidelines is an important step in protecting your customers and your business, it’s something that cannot occur in isolation. Following the PCI DSS standards for handling and storing cardholder data is an excellent step, but ensuring you’re partnering with an experienced payments provider who can add an additional layer of security to your payments is a smart move. 

To integrate drop-in UI as a component of your PCI compliance plans contact us today.

 Ensuring the security of card payments is good news for everyone, so start planning today.

Similar articles

Products

Increase user engagement on your platform by choosing BPAY Payout as a payment solution

Enhanced customer experience can increase user engagement on your platform. Read how by enabling BPAY Payouts a PropTech platform can encourage user engagement and time spent on their app.

Insights

Online payment options for cryptocurrency trading platforms

When establishing a cryptocurrency trading platform or entering new markets, the ability to offer customers a variety of online payment options with access to payment rails and banking networks should be a top priority.

Payments

Free up people-time with a better payment workflow automation

Payment automation streamlines payment processes so companies gain efficiency, improve customer service, & free up people-time to focus on value-adding tasks.

Accept payments everywhere

Learn how Assembly’s platform can support your value proposition, and provide a competitive edge in your market. Get in touch today.