With e-commerce booming, many consumers are getting used to the idea of shopping online and having their prized purchases delivered straight to their door without even having to change out of pajamas or find a parking spot. This is evidenced by the 11% rise in UPS December shipping in 2014[1] and even more projected growth in 2015. With increased e-commerce sales in December as well as the rest of the year consumers are also trusting in the fact that each time they utilize a debit or credit card they will be protected against cyber-theft.
PCI Compliant
PCI stands for payment card industry. There is a data security standard set for all companies that process, transmit, or store credit card information in order to maintain a secure data environment. Collectively, these standards are known as PCI DDS, and these standards apply to any merchant that has a MID or Merchant ID.
PCI standards apply to any merchant or organization no matter the number of transactions or size of organization or merchant as long as they accept, transmit, or store any cardholder data. So, as long as the merchant is paid directly using a debit or credit card, then PCI DDS rules and requirements apply.
Data Centers and PCI Compliance
Data centers are often asked if they are PCI Compliant. Normally, data center providers do not have anything to do with sensitive customer information and the handling procedures associated with it. Data centers house servers in facilities, and they allow merchants to utilize these servers to conduct their business. Data centers are the physical home to the “clouds” that you always hear about your data being stored in.
Data centers do have a role that they fill to be PCI compliant; they have to fill out portions of a PCI self-assessment questionnaire and provide a “Compensating Control Used” or “Not Applicable” explanation. Some of the requirements for a data center to be PCI compliant include the following:
- Are their appropriate entry controls for the facility?
- Are their video cameras or other access-control mechanisms to monitor physical access?
- Is the data from the aforementioned cameras and mechanisms reviewed and correlated?
- Is the data stored for a minimum of 3 months?
- Are the publicly accessible network jacks restricted to physical access?
- Are employees and visitors easily distinguished and restricted from inappropriate areas?
- Are all visitors handled according to specified PCI complaint rules?
However, just utilizing a PCI-compliant data center does not automatically make the merchant complaint as well. Each individual merchant or company is responsible for their own compliance.
Merchant PCI Compliance
Merchants are responsible for compliance with all PCI DDS standards. There are 4 merchant levels of compliance. The levels of compliance are based upon the aggregate volume of transactions, processed, stored, or transmitted by the entity DBA or Doing Business As.
For example, Visa has standards set to define levels of PCI compliance. The standards for Level 1 (the highest standard) are as follows:
| Merchant Level 1 is defined as: | Any merchant—regardless of acceptance channel—processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.[2] |
Self-Assessment Questionnaire
In order to satisfy the PCI DDS compliance standards, each merchant must fill out an SAQ just as data centers do. There are also steps to evaluating a merchant and ensuring compliance. These steps include the following:
- Assess: This step is in place to help identify all process and technology vulnerabilities where risk is posed to the cardholder data security. The PCI DDS outlines IT processes and infrastructure that access payment account infrastructure. In other words, you need to determine how the cardholder data flows through the transaction process, from beginning to end. Additionally, versions of PIN entry terminals and software used for transactions and processing must be checked for PCI compliance.
- Remediate: Once assessment is complete, the remediation or fixing of vulnerabilities must commence. This remediation includes technical flaws in software code, scanning and fixing software tools, and applying fixes, patches, changes, and workarounds to unsafe workflow and practices. These remediation challenges should be ranked according to the prioritization of necessary remediation, so the most important problems get fixed first. Once all remediation is completed, a full scan and assessment should be performed again to ensure problems have been fixed.
- Report: In order to fully satisfy PCI compliance, regular reports must be submitted. These reports are submitted to the acquiring bank and global payment brands which with you do business. Some of the reports include a quarterly scan report, annual on-site assessment for businesses with large flows, and for small transaction flow businesses an annual Attestation within the SAQ must be submitted.