PCI Compliance Doesn’t Need to Be an Impossible Task
For the longest time, businesses on the internet were susceptible to credit card fraud. Credit card handlers and companies alike were unsure of how to protect data stored on the internet. That’s where PCI compliance comes in. Founded in 2006, the PCI Security Standards Council sets restrictions for how business online is done. PCI compliance keeps companies, cardholders, and banks safe. Here, we’ll discuss all things PCI Compliance for you and your business. From the required standards to questionnaires, you should have a solid grasp of all that makes up this safety standard by the time you finish reading. Understanding PCI compliance does not need to be an impossible task.
What is PCI Compliance?
It was determined a long time ago that credit cards on the internet needed some form of protection. Without protection, these methods of payment are susceptible to fraud and theft. PCI compliance exists to ensure that a platform is safe for customers to plug in their private information. It assures your clients and customers that their data is safe with your business.
To be considered PCI compliant, your business site must pass a set of standards. These standards include:
- Shopping cart page regulations where credit cards are used
- Checks on any card readers that are attached to your computer
- Username/password systems that protect a client’s information
Do You Need PCI Compliance?
The short answer is yes. For any site that accepts payment, PCI compliance is a must. Without it, fees and risks rise exponentially. If your site or business takes credit cards on the internet, you need to go through the process for the sake of your future. It is of the utmost importance, and it is also a legal requirement for your safety.
There are a few different levels of PCI compliance. A business must first determine what level they fall under before proceeding. From there, they can go about securing their network. We will discuss this a little later in the article.
Common Acronyms Used in PCI Compliance
When you look into the process of becoming PCI compliant, you’ll see that there are a bunch of different steps that you need to complete. Three items are labeled with acronyms that might be confusing at first glance. You will need to know all of them so that you know what to expect when you see them.
The three items you will need to know the differences between include:
- PCI DSS Self-Assessment Questionnaire (SAQ)
- Attestation of Compliance (AoC)
- Report on Compliance (RoC)
We’ll go over each of these so that you know what they are and when they come into play. Each has a part in ensuring that your method of accepting payment is secure for your clients. They are all critical to your business.
1. PCI DSS Self-Assessment Questionnaire (SAQ)
This item is a form that will help you determine which compliance regulations apply to your organization. There are nine different versions of the document, and they all depend on how your business processes, handles, and stores the information that cardholders provide.
The nine types include:
- SAQ A
- SAQ A-EP
- SAQ B
- SAQ B-IP
- SAQ C-VT
- SAQ C
- SAQ P2PE-HW
- SAQ D for Merchants
- SAQ D for Service Providers
You will need to determine which is best for you to use based on how you handle business. Having this form is a crucial part of becoming PCI compliant. It will keep you from taking unnecessary measures for your business as you go about this process.
2. Attestation of Compliance (AoC)
The Attestation of Compliance is an action completed by a QSA, otherwise known as a Qualified Security Assessor. They will create documented evidence that informs the council that your business upholds solid security practices. They will ensure that you have completed your SAQ and meet all the required standards.
There are a few different versions of the AoC, just as with the SAQ. You’ll need to pick the one that corresponds with the SAQ you filled out based on your business. That way, you can get a proper attestation completed.
3. Report on Compliance (RoC)
The RoC, or Report on Compliance, is a report on everything a business does to ensure the best protection for cardholders. Another Qualified Security Assessor will examine and perform an audit of your controls. They will also summarize and document their findings, which turn into this final report.
The RoC reports on items such as:
- The security posture
- The overall environment
- The systems in use
- The methods utilized to protect data
This report is necessary because it will allow your clients to understand what your security is. They will know if their card information is safe on your site. They will also know if there are any risks they will be taking in providing you with personal information. This report is one of the final steps when you are determining if you are compliant or not.
How Do You Become PCI Compliant?
There are six steps that you must take on to become PCI compliant. By following each of them carefully, you can ensure that your site is safe and protected. This process varies depending on the size of your business and how many transactions occur on your site. Different standards apply to varying organizations.
The six key steps include:
- Determining your PCI level
- Acknowledging potential consequences for failing to be PCI Compliant
- Completing a Self-Compliance Questionnaire
- Creating a secure network
- Filling out an Attestation of Compliance
- File paperwork
We will go over each of these carefully so that you can understand the process. It probably seems complicated, but it’s not. With careful reading, you will be able to make your site PCI compliant in no time at all.
1. Determining Your PCI Level
The first step when making your business PCI compliant is to determine what PCI level you are. There are four of them, all based on a few different factors.
The PCI Levels include:
- LevelOne: This applies to you if your business processes over six million transactions annually, no matter what channel is being used.
- LevelTwo: This applies to you if your business processes between one million and six million transactions annually, Level Three: This applies to you if your business processes 20,000 to one million eCommerce transactions annually.
- LevelFour: This applies to you if your business processes less than 20,000 eCommerce transactions annually, or less than one million no matter what channel is used.
Based on the transactions that your business makes, you can decide what your PCI level is. This label will assist you in determining what standards you will need to use to make your business PCI compliant.
2. Note Consequences
Any store or business that stores credit card information is required to be PCI compliant. Failing to do so can result in fees, fines, and even larger consequences down the road. You’re putting your business and customers at risk by avoiding the process.
Some of the events that could occur as a result of failing to become PCI compliant include:
- Loss of business reputation
- Credit card breaches
- Lawsuits
- Fees and fines
You should note the potential consequences for your particular PCI level. You should be prepared to face them if you fail to make your business PCI compliant.
3. Complete a PCI RSS Self-Assessment Questionnaire
Next, you will need to fill out a Self-Assessment Questionnaire. These are the forms we discussed above. You will fill out the one that corresponds to your business and the online transactions that occur within your fiscal year.
The form is as simple as they come. It goes over each of the PCI Data Security Standard Requirements, to which you will answer yes or no in response. A yes means that your company security follows that standard. A no means that you may have some gaps that you need to address.
The PCI RSS Self-Assessment Questionnaire will help you figure out what you need to tackle before auditing your PCI compliance. You should be able to answer yes to every question if you are fully functional in protecting your clients’ cards.
4. Create a Secure Network
Once you know what areas your security is lacking, you can address them. You should adhere to the twelve guidelines that fit your business. If the changes are simple, you can do them yourself. If you’re not sure how to address them, you can seek outside help to make the alterations.
Some fixes made at this point could include:
- Adding a firewall to protect data
- Restricting access to cardholder data
- Authenticating access to the system
- Creating a policy for personnel to follow for security
Once you have addressed each of your security problems, you will be ready to move on to the final steps of becoming PCI compliant. Make sure you have covered all of your bases before proceeding.
5. Fill Out an Attestation of Compliance
Once you feel that you’re ready, you can fill out an Attestation of Compliance. This decision means that you are positive that your business fits with all of the required guidelines. A Qualified Security Assessor will come and scope out the situation, filing a report in the process.
When they are done, they will have completed a Report on Compliance. This report will inform the council whether or not you have adhered to the guidelines. If you succeed with filing your attestation, you are ready to move on to the final step.
6. File Paperwork
The final step in becoming PCI compliant is to fill out paperwork. You will need to do this with banks, credit card companies, and every other company you may be working with. Some papers that you might need to submit:
- The SAQ
- The AoC
- An external vulnerability scan
Once the paperwork goes through, you should be good to go. Your business can proudly declare that it is safe for cardholders to access their information. If you need help during the process, there are companies out there that can assist you. Ask for help if you are stuck. It’s better to get help than to fall short of becoming PCI compliant.
How to Become Compliant on Various Platforms
Many platforms can be used to collect credit card information. On most of them, you will need to become PCI compliant for the safety of your business and clients.
We will discuss two popular platforms that you may need to become PCI compliant on. If you run any form of credit card transactions through these, you will need to go through the PCI compliance process.
PCI Compliance on Microsoft Teams
Microsoft Teams is a platform that is often used in the workspace. If you capture or record credit card information at any time in this space, you will need to make your platform PCI compliant. If you are using calls to contact your customers, you should use an add-on agency to ensure that the calls are private.
To become PCI compliant, you can follow the same process as stated above. Your situation will only apply to phone calls. The security efforts you make will be based on making sure that every call you make is as private as possible.
PCI Compliance on WordPress
WordPress is a website maker that many use for their businesses. This means that goods and services are often purchased through this online format. While the internet is a great place for an up-and-coming business, it can be dangerous. Anyone taking credit card payments on WordPress should take action to make their site PCI compliant.
To make your WordPress site fit this standard, you will need to:
- Find your merchant level
- Fill out the SAQ
- Figure out necessary security patches
- Use proper plugins and tools to take in the information
- Fill out the appropriate paperwork
Once you are PCI compliant on WordPress, your customers can feel safe giving you their information. This completion can help a small business get on its feet much faster.
Eventually, you will understand the security measures like the back of your hand. PCI compliance might seem annoying, but it is a great item that protects you, your customers, and even the banks from falling prey to fraud online.
The Path to PCI Compliance
This is just one of the most important regulations you may come across in your organization. It’s a good idea to examine your compliance procedures at least once a year, and more frequently if the regulations change.
We recommend consulting with legal counsel if your organization lacks in-house staff with the detailed understanding required to assure compliance.
You should contact a skilled compliance and technology partner, such asEdge Networks, to help you with the technical and operational parts of your compliance journey. Your investment will begin to pay for itself immediately, and remember, you can’t put a price on your peace of mind. Contact us today for a free 30 minute consultation.