Posted by Alison Arthur on 18 May 2018
It’s unfortunate but true – electronic payments and fraud go hand-in-hand. Handling sensitive cardholder information in a digital environment opens the possibility for cybercriminals to steal, misuse, and sell customer data illegally. As criminals continue to refine their tactics and expand their reach, it’s up to businesses to try to outsmart them at every turn.
The widespread issuance of EMV chip cards has helped thwart fraud at the point-of-sale but in doing so has helped pushed that fraud online. Research from BRP Consulting shows that online fraud has increased 137% after the introduction of EMV. Building a solid defense against ever-growing online payment fraud requires a multi-faceted strategy involving various disciplines, solutions, and resources.
One approach that we’ll discuss here is adopting the Payment Card Industry Data Security Standard (PCI DSS). Here are some high-level questions and answers about PCI DSS that can help get your business started. It’s important to note that the application of PCI DSS will look differently for different types of businesses. A full set of information is available here.
What is PCI DSS?
PCI DSS is a set of data security standards that apply to all organizations that store, process or transmit cardholder data. These standards were developed to help ensure that this sensitive data is handled safely and to help protect underlying cardholders. PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.
Who enforces PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) was formed by the major payment card brands (American Express, Discover, JCB, Mastercard, and Visa) to oversee and manage PCI DSS. However, the PCI SSC does not enforce PCI DSS – that responsibility falls to the payment card brands. Each card brand has specific requirements for validating merchant compliance and associated reporting standards.
But our business doesn’t store cardholder data. We work with a third-party vendor that does this on our behalf.
Even if your business doesn’t store cardholder data, PCI DSS still applies to the environment that transmits or processes cardholder data. This includes any service providers that store, process, or transmit cardholder data on your business’s behalf.
What is cardholder data?
At a minimum, cardholder data includes the full primary account number (PAN) that appears on the card. It can also include the full PAN plus the account holder’s name, expiration date of the card, and/or the service code of the card.
How does PCI DSS apply to the software vendors that we use to accept payments?
The Payment Application Data Security Standard (PA-DSS) applies to software vendors and payment application vendors that store, process, or transmit cardholder data on behalf of third parties. The payment card brands encourage merchants to use payment solutions that are tested and approved by the PCI SSC. However, it’s important to note that using a third-party vendor doesn’t exclude the associated merchant from PCI DSS compliance. While it may reduce their scope of PCI DSS compliance, it won’t exclude them from it altogether.
How do the payment card brands enforce compliance with PCI DSS?
There are two primary tools that the payment card brands use to help ensure that merchants are PCI DSS compliant:
1. Qualified Assessors (QSA) and Approved Scanning Vendors (ASV)
QSAs are approved by the PCI SSC and perform assessments of PCI DSS compliance. ASVs are also approved by the PCI SSC, however, they focus on performing vulnerability scans of both the merchant and the service provider environments that face the internet.
2. Self-Assessment Questionnaire (SAQ)
For eligible organizations, SAQ is a validation tool that merchants can use to perform self-assessments of their PCI DSS compliance.
What happens if our business doesn’t comply with PCI DSS?
Failure to comply can result in significant fines from the payment card brands. It’s important to note that the payment card brands will impose these fines on their member banking institutions, who will then pass these fines along to the responsible merchants. In some cases, these fines can lead to the cancellation of merchant accounts by their acquirers.
Is PCI DSS compliance a one-time thing?
No. Ensuring the security of your cardholder data is an ongoing endeavor that requires communication and teamwork between many disciplines. In addition, PCI DSS compliance is predicated upon validation levels that are set by the card brands and based upon transaction volume. As your business grows and changes over time, so might your PCI DSS validation level. In addition, industry requirements and card brand rules may change as well. It’s your business’s responsibility to be aware of these changes and react accordingly.
The Bottom Line: Accepting electronic payments opens businesses up to the possibility of fraud. PCI DSS compliance is an important piece of a larger data security and fraud prevention strategy. For more information on PCI DSS, please visit www.pcisecuritystandards.org.