This website is educational. Its purpose is to teach merchants (owners of businesses that accept credit cards) about the Payment Card Industry Data Security Standards – or PCI-DSS – for short. We do not sell any products, nor do we provide any technological solutions. We built this website because we have learned, through our representation of merchants, that too little is known or understood about PCI-DSS. We have also learned that the cost of ignorance of PCI-DSS can be high.
By way of introduction, PCI-DSS is simply a collection of rules. These rules require merchants to take certain steps to safeguard credit card data. The rules are meant to protect credit card data from hackers and other criminals and thereby reduce the incidence of credit card fraud, which has become an epidemic.
Non-compliance with PCI-DSS costs merchants millions of dollars each year. To anyone familiar with PCI-DSS, this is not terribly surprising. The rules are lengthy, confusing, and require a level of technological expertise that many business owners, especially small- or medium-sized business owners, often lack. Although there is no shortage of available information about PCI-DSS (Don’t believe us? Just Google the term), none of these resources speak directly to business owners or attempt to explain PCI-DSS in plain English. That is what this website seeks to accomplish.
On this website, you will find information and tools designed to help educate you, the merchant, about PCI-DSS. Our goal is not to make you an expert, or to provide you with a technological guide for complying with the standards, but simply to heighten your awareness of the standards and help you sidestep the landmines that get so many merchants in trouble.
PCI 101: The Basics:
What is PCI-DSS?
“PCI-DSS” stands for “Payment Card Industry Data Security Standards.” Stated simply, PCI-DSS is a collection of rules. These rules require merchants—i.e., businesses that accept credit cards—to do certain things to protect credit card data. Since the vast majority of credit card transactions are now processed electronically, the rules are meant to protect credit card data from being intercepted by hackers and other criminals.
How Did PCI-DSS Originate?
Several years ago, the major credit card brands (American Express, Discover, MasterCard and Visa) banded together to form the “Payment Card Industry Data Security Council.” The Council developed PCI-DSS. They required their business partners (banks and credit card processors) as well as POS companies to adopt PCI-DSS. The banks and credit card processors, in turn, required their customers (merchants) to adopt PCI-DSS. The banks and credit card processors began fining merchants who failed to comply with PCI-DSS. The Security Council has revised PCI-DSS over the years and is now on Version 3.0.
Why Should I Care about PCI-DSS?
You should care about PCI-DSS because you ignore it at your own peril. Whether you like it or not, if your business accepts credit cards, then you are responsible for complying with PCI-DSS. Credit card data theft is on the rise. If you do not comply with PCI-DSS, and your customers’ credit card data is stolen or compromised, you will pay the price.
Why is PCI-DSS My Responsibility?
PCI-DSS is your responsibility because your contracts with your banks and credit card processors make it so. Those contracts contain very important, but seldom discussed, terms regarding PCI-DSS. The contracts require you, the merchant, to certify that your business is PCI-DSS compliant. The contracts require you to agree to pay fines for PCI-DSS non-compliance. And the contracts require you to reimburse your banks and credit card processors for any losses they incur for theft of your customers’ credit card data. Typical contract provisions read like this:
- “We may impose fines or penalties, or restrict you from accepting cards if it is determined that you are not compliant with PCI-DSS Standards. We may in our sole discretion, suspend or terminate Card processing services under your Merchant Agreement for any actual or suspected data security compromise.”
- “You agree to indemnify and hold us harmless from and against all losses, liabilities, damages and expenses: (a) resulting from any breach of any warranty, covenant or agreement or any misrepresentation by you under this Agreement; (b) arising out of your or your employees’ or your agents’ negligence or willful misconduct in connection with card transactions or otherwise arising from your provision of goods and services to Cardholders; (c) arising out of your use of our Service; or (d) arising out of any third party indemnification we are obligated to make as a result of your actions (including indemnification of any Association or Issuer).”
What Does PCI-DSS Consist Of?
PCI-DSS consists of 12 requirements and over 200 sub-requirements. The PCI Data Security Council’s summary of those requirements and sub-requirements can be found here. Unless you are an IT professional, reading this summary will undoubtedly make your head spin. For simplicity sake, think of PCI-DSS as a set of rules that governs three aspects of your business: (1) your technology; (2) your personnel; and (3) your policies and procedures. Keep reading for more on each of those topics.
What are the Technological Requirements?
PCI-DSS requires you to implement technological safeguards to prevent credit card data theft. For example:
- Requirement 1 provides that you must: “Install and maintain a firewall configuration to protect cardholder data”;
- Requirement 2 prohibits you from using vendor-supplied default passwords to access computers, servers and software applications;
- Requirement 3 states that you must: “Protect stored cardholder data”;
- Requirement 4 mandates you to: “Encrypt transmission of cardholder data across open, public networks”;
- Requirement 5 requires you to: “Use and regularly update anti-virus software or programs”;
- Requirement 6 requires you to: “Develop and maintain secure systems and applications”;
- Requirement 10 requires you to: “Track and monitor all access to network resources and cardholder data”; and
- Requirement 11 requires you to: “Regularly test security systems and processes.”
Too often, merchants rely on their vendors (like credit card processors, IT professionals and POS providers) to install and configure computing equipment safely and properly. This presents two problems. First, those vendors might not be knowledgeable about PCI-DSS, so they might not install and configure computing equipment with those standards in mind. Second, they are not responsible for PCI-DSS compliance; you are. If a breach occurs, it will be you and your business in the cross hairs, not the vendors who installed the equipment. Thus, it is important that you carefully vet the vendors you hire and ask appropriate questions about the products and services they provide. The goal of this website is to give you the proper background for doing so.
What are the Personnel Requirements of PCI-DSS
PCI-DSS requires you to manage your personnel in a manner consistent with minimizing risk of a data security breach. For example:
- Requirement 7 provides that you must: “Restrict access to cardholder data by business need to know”;
- Requirement 8 mandates that you: “Assign a unique ID to each person with computer access”; and
- Requirement 9 states that you must: “Restrict physical access to cardholder data.”
These requirements serve two purposes: prevention and diagnosis. By limiting the number of people with access to credit card data (or systems that transmit credit card data), the requirements aim to reduce the likelihood that personnel intentionally or inadvertently cause a data security breach. By requiring merchants to assign a unique ID to each person with such access, the requirements aim to make the source of any data security breach traceable and correctable.
What Policies and Procedures Am I Required to Implement?
PCI-DSS requires you to implement policies and procedures to (a) prevent data security breaches; and (b) deal with data security breaches when they occur. Requirement 12 states simply that you must: “Maintain a policy that addresses information security for all personnel.” As any merchant who has been through litigation knows, the absence of appropriate policies and procedures makes a merchant’s conduct much more difficult to defend.
How Do I Comply with PCI-DSS?
Achieving PCI-DSS compliance will likely require you to make both a personal and a financial investment. Use this website (and other online resources) to learn as much as you can about PCI-DSS. Talk with your vendors about whether the products and services they provide are PCI-DSS-compliant. If doubts remain, hire trusted and qualified professionals to implement appropriate technological safeguards and develop appropriate policies and procedures. And consider purchasing insurance that protects you against financial losses associated with a data security breach.
In terms of the specifics, bear in mind that what you need to do depends on how many credit card transactions you process each year. PCI-DSS divides merchants into four categories depending on their annual transaction volume. The more credit card transactions you process, the more stringent the requirements. All merchants, however, must at a minimum audit their computer network annually to verify that it is secure and PCI-DSS compliant.
What Happens if I Do Not Comply with PCI-DSS?
Most merchants learn they are non-compliant the hard way: when their customers’ credit card data is compromised or stolen. A merchant’s bank or credit card processor will notify the merchant about the data security breach. The merchant will then be required to hire a forensic auditor, at the merchant’s expense, to examine the merchant’s computer network. If the forensic audit reveals that the merchant is non-compliant, then the merchant will probably be fined. The merchant can also expect to be held financially responsible for any losses caused by the data security breach, which may include credit card chargebacks and card re-issuance fees. These expenses can run into the hundreds of thousands, and occasionally millions, of dollars. As the saying goes, an ounce of prevention is worth a pound of cure.