PCI 101: How Streamlining Security Can Cut Business Costs

shutterstock_492224179

There are a lot of acronyms in the payments industry: EMV, MSP, POS, and—of course—PCI DSS.

The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard developed and enforced by the PCI Security Standards Council (PCI SSC), a global body founded by the five major card brands to protect payment card data from security threats. It applies to all organizations that store, process, and/or transmit cardholder data. PCI DSS covers both the technical components (e.g. how your terminal hardware is setup with your POS) and operational aspects (e.g. where and how receipts are stored) related to cardholder data.

In short, if you’re a merchant who accepts credit card payments, you need to comply with the PCI DSS.

PCI DSS is not only one of the longest payments-related acronyms wireless retailers need to deal with; it’s also the one most associated with headaches for business owners and operations and finance managers, because of the complexity of maintaining compliance (and the repercussions of noncompliance).

This post looks at the “what”, “why”, and “how” of PCI DSS compliance and provides some tips for streamlining the compliance process so you can focus less on technical details and more on growing your business.

What is PCI DSS compliance?

As mentioned above, PCI DSS is a universal security standard developed to protect sensitive cardholder data. To comply with PCI DSS, your business must meet 12 requirements which align with 6 security goals:

PCI Compliance.png

(Source: PCI DSS Quick Reference Guide)

This set of requirements ensures that merchants are employing security best practices across all business activities.

Why is PCI DSS compliance important?

Protecting customers’ sensitive payment data is top-of-mind for business owners these days in light of recent data breaches at major retailers and the egregiously high rates of card fraud in the U.S. The PCI DSS was introduced specifically to increase controls around how payment card data is processed and stored in an effort to thwart fraud and theft of cardholder data.

Despite the importance of PCI DSS compliance, 80% of retailers fail their interim compliance assessments. As if this number wasn’t startling enough, the costs of noncompliance are outrageously high: failing to comply with PCI DSS can result in financial penalties anywhere from $5,000 to $500,000. This bottom-line breaking amount doesn’t even account for legal fees or the losses associated with damages to your brand reputation. A single violation of PCI DSS may threaten your relationships with customers, processing partners, credit card companies, and banks, and make other consumers and organizations wary of working with you in the future.

Maintaining compliance with PCI DSS is crucial to the success of any business, but there’s an added pressure in the wireless industry to prevent data breaches since consumers expect robust security standards from retailers specializing in high-tech products.

 

How do I become compliant?

To qualify as PCI DSS compliant, merchants must complete the Self-Assessment Questionnaire (SAQ)—a self-evaluation tool used to determine whether merchants meet the 12 requirements set by the PCI SSC—and submit an Attestation of Compliance (AOC) to validate their compliance status. Completion of the SAQ and AOC must be performed annually. There are five different versions of the SAQ, each of which is designed for specific business types.

The first step to becoming compliant is to determine the scope of your business’s cardholder data environment. Your PCI scope covers all the people, processes, and technologies that store, process, or transmit cardholder data.

Next, determine which merchant level best describes your business and select the correct SAQ. For brick-and-mortar wireless retailers, this is most commonly SAQ C which is designed for merchants that process cardholder data via payment applications (i.e., point of sale systems) connected to the Internet, but do not actually store any electronic cardholder data.

SAQ C consists of 70 questions covering all 12 requirements and 6 goals of the Payment Card Industry Security Standards Council. Completion of the questionnaire involves a comprehensive self-assessment of the entire scope of a merchant’s payment network, and each question involves additional steps, such as systems testing, updating written security policies, and reviewing user password and authentication procedures.

For business decision makers with ten-mile-long to-do lists, competing the SAQ each year can seem like an obstacle to the important work of running—and growing—their businesses. Many merchants become (understandably) frustrated by the technical complexity of many of the questions, as well as the time and resources required to complete the SAQ.

However, PCI DSS compliance doesn’t need to be a burden. There are a few strategies merchants can employ to become—and stay—compliant, without having to get a PhD in PCI or compromising security standards.

 

How can I make PCI DSS compliance less complicated?

The easiest way to simplify PCI compliance is to minimize the points where your network touches payment card data with a scope reduction solution. iQmetrix Payments is proud to announce its revamped scope reduction package—the Shield Protection Package through Payment Connect, available for all wireless merchants in March 2018. Shrinking your cardholder data environment minimizes the expenses and efforts required to comply with PCI DSS. With the Shield Protection Package, you can reduce your PCI workload up to 95%.

Once your PCI scope is reduced, there’s very little effort required to maintain compliance. Best of all, reducing your PCI scope means that the most time-consuming technical requirements get delegated to your processing partner, since the most sensitive cardholder data goes through their network and never touches yours. This means you can shrink your SAQ from 70 questions to just 1.

By reducing your PCI scope and leaving the technical requirements to payments security experts, you can ensure your business is compliant with all security standards, protect your customers’ sensitive payment data, and reduce your operating costs. That’s a win-win-win in our books.

To learn more about how iQmetrix can help you make PCI DSS compliance a breeze rather than a burden, contact a Payments Solutions Specialist for more information on the Shield Protection Package.

Contact a Payments Specialist

Shutterstock / Profit_Image