PCI Compliance for Merchant Processing:Keeping Your Data Safe
What is PCI, and how do I avoid fees, audits, or even termination of my account?
If you’re a merchant currently processing credit cards you probably already know about a few key things to watch for to stay compliant and keep your business safe. If you are a merchant looking to start processing electronic cards, first understand that ALL MERCHANTS that accept, hold, process, and/or transmit sensitive cardholder data MUST comply with the PCI DSS standards. Compliance is mandatory, and it helps ensure you are doing your part to keep your cardholders data secure.
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard for data security created by the PCI SSC in 2004 – organized by the four major credit-card companies: Visa, MasterCard, AmericanExpress, and Discover. Created to protect cardholders against the misuse of their personal data, merchants are required to follow procedures to optimize the security of their transactions, helping prevent data breaches and credit card fraud.
It’s important to note that PCI Compliance is not a one-time achievement, but rather an evolving process that needs constant awareness. Maintaining PCI compliance should be viewed as very important first steps towards effective security measures. Data thieves are hard at work every day searching for system vulnerabilities, and we must work together as processor and merchant to maintain the most secure transaction route for your cardholders data. At Merchants Bancard Network (MBN), we work with all our merchants to help them through the compliance process, as it remains our top priority to ensure everyone is processing securely, and PCI compliant. We help educate and eliminate the hassle of maintaining PCI compliance.
How PCI DSS Standards Help Prevent Fraud
As of 2006, credit card fraud has become the most common form of identity theft. Customers know this – they hear it on the news, and get alerts in their email. Demonstrating compliance with these standards proves for customers that your organization is serious about protecting their card information. Let’s review some main components involved in compliance.
Installing and maintaining a secure network is the first step in complying with PCI regulations. This means having a firewall in place to control the passage of electronic traffic within your internal network and between internal and external networks. Using a firewall on your network acts much in the same way a mechanical lock would be used to secure your bicycle when you go inside the store. Firewalls keep the bad guys from getting what they want.
PCI also requires that you never use default passwords across any of your systems. When software and hardware comes out of the box, the passwords are set to a default value. Believe it or not the most common security error by merchants is not changing default passwords before deploying infrastructure used with cardholder data. Use at least WPA2 encryption for wireless access points. Monitor and test public facing networks for vulnerabilities, and ensure that all processes are in place and functioning properly.
Merchants must maintain a quality vulnerability management program. More often referred to as your anti-virus software, this ensures that security features in place to protect your cardholder data stay up to date. Every week new vulnerabilities are exposed, taking the form of flaws in your software, or faulty configuration of an application. And then there’s the one that almost never happens, good old human error. Hey, it’s irrational to think that we should hit every button right every time. Whatever the source, flaws in the system don’t go away on their own. This is why keeping your quality anti-virus software updated is absolutely paramount. And PCI requires it. The PCI SSC maintains a list of approved anti-virus vendors. In addition to your anti-virus software, you should also implement strong access control measures across your system, restricting information to only those who require it. Every person who uses a computer in the system should use a unique and secure identification name or number to log in.
Good news! New EMV (Europay, Mastercard, Visa) standards are pushing technology that gives merchants the edge. The newest chip-based payment cards,popularly known as ‘smart cards’, contain an embedded microprocessor, a type of mini computer. This microchip contains the information needed to use the card for payment, and is protected by robust security features making smart cards a more secure alternative to traditional magnetic swipe payment cards. Data from the transaction is securely stored in the microchip, protected with sophisticated encryption technology. This microchip provides the protection needed to prevent card skimming and card cloning, the most common ways magnetic stripe cards are compromised and used for fraudulent activity. Even if fraudsters were able to steal account data from a chip transaction, this data cannot be used to create a fraudulent transaction because every chip-based transaction carries dynamic data.
Get Compliant Now
PCI compliance requires a couple of steps. You must complete the PCI self-assessment questionnaire (SAQ). From the questionnaire, you will learn if your system requires replacement or upgrade of NON-PCI compliant components. A network security scan might be required for companies that use the internet for transaction processing. Second you must complete the ‘Attestation of Compliance’, stating that you have performed the appropriate self-assessment for your organization. You must complete this certification process once a year to be submitted by your acquiring institution for validation. By the third quarter of 2015, complete liability for fraud will be shifted onto the shoulders of merchants and acquirers. This means the big card companies will no longer cover the bill for any fraud claims – it will be on you the merchant. It’s time to get serious about data security.
To help, MBN has created an easy to use PCI compliance how-to website to assist our merchants with the requirements at pcimax.com. By logging in with your merchant ID and zip code, you can access the PCI site for your account. MBN takes pride in supplying our agents and merchants with the most flexible, up-to-date, and helpful information. This article is not a comprehensive guide to PCI compliance. There is more to talk about. We invite you to check out our newly redesigned website at mbncard.com and explore our complete library of educational materials covering PCI compliance, as well as our top-of-the line services offered to our merchants.
Your MBN Team