If your organization accepts payments by credit or debit card directly, then you need to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). It’s a global mandate supported by all the major international card brands, and it applies to all businesses that store or transmit cardholder data.
PCI sets the standards for running your payment operations securely and efficiently. It’s about much more than red tape; it’s about protecting your business and your customers from serious data breaches of the kind that target payment information.
Although data security regulations are a major pain point for business owners, PCI-DSS is more specific (and therefore easier to implement) than other regulations. But just like any set of mandated security standards, the consequences of failing to comply are disastrous, not just in terms of fines but also when it comes to reputational damage and possible litigation.
Although this list is by no means conclusive, here are three things San Diego businesses need to know before getting started with PCI-DSS:
Determining your merchant level
The precise requirements of becoming compliant, as well as the fines for failing to comply, are dependent on the size of your business. The document has a four-tier system for classifying organizations by size and risk to determine their security requirements and penalty brackets. These levels are based on the total number of annual payment transactions handled by the organization.
Small businesses fall into Level Four, provided they handle less than 20,000 transactions per year, while large multinational merchants handling more than six million transactions are classified as Level One. However, there is one important exception; regardless of the number of transactions your company handles, if you’ve had payment data compromised in the past, you’ll be treated as a Level One merchant.
Completing your self-assessment questionnaire
Regardless of your merchant level, one of the most basic requirements of achieving compliance is completing a self-assessment questionnaire (SAQ). The SAQ questions vary depending on your level. Choosing the right SAQ depends not so much on the size of your organization as it does on how you collect payment information and what you do with it.
For example, the SAQ-A questionnaire applies only to organizations which take payment information online or over the phone but don’t store, process, or transmit cardholder data using their on-premises systems. Merchants that use standalone dial-out terminals to collect payment information yet don’t electronically store it for themselves will need to complete a SAQ-B questionnaire.
More complex environments also mandate the use of vulnerability scanning. The most stringent requirements include penetration testing to proactively identify every potential point of entry into your payment-processing systems.
Maintaining PCI-DSS compliance
Achieving PCI-DSS compliance isn’t something you do once and then forget about. It demands an ongoing effort that adapts to constantly changing and evolving business environments. As a business owner, the responsibility to meet existing standards and monitor for updates rests on your shoulders. Carrying out annual assessments is integral to achieving compliance but focusing too much on these yearly reviews entirely will lead to a false sense of security.
You need to maintain compliance by building in security and privacy controls by design and default, segmenting systems which store, process, or transmit payment information, and enforce up-to-date security policies. Following our blog is one way to ensure you don’t miss any industry updates, but obviously outsourcing IT management to compliance specialists is the safest option.
LANSolutions simplifies compliance with strategic managed security services to companies in San Diego, Orange County, and Hawaii. Call us today and tell us about your business needs.