What you Need to Know about PCI Compliance

When it comes to being PCI compliant there are many questions business owners have but the one I hear most often is Why? Why do I need to fill out this questionnaire and Why do I need to be PCI Compliant? To answer these questions, it is important we first address what PCI is and how it come about.

In 2006 the PCI Security Standards Council (PCI SSC), founded by the five largest credit card providers: Visa, MasterCard, Discover, American Express and JCB International, created the Payment Card Industry Data Security Standard (PCI DSS). The goal of the Council is to ensure that all business owners protect their customers’ credit card information during a transaction and when cardholder data is stored.

It is important to note that being PCI compliant is not required by law. However, to help avoid a data breach and avoid hefty non-compliance fees, it his highly recommended that business owners who accept credit card payments follow the regulations set out by the PCI SSC.

So now we have the answer to our question as to why a business needs to fill out a questionnaire and the needs to become PCI Compliant. The problem is that there is a very prevelant feeling amongst business owners that they will not be the victims of a breach, a very dangerous point of view given the increase in breaches of businesses of all sizes.

What are the Requirements of becoming PCI Compliant

How a business becomes PCI compliant will depend on the businesses operations, as there are many areas in which a business could have security vulnerabilities. Hackers are not picky and will look for any, and all, vulnerabilities within a business such as in operating systems and devices that connect to a company’s private network.

Some of the many areas in which data can be stolen include:

  • Credit card terminals or card readers
  • A wireless or wired network
  • Databases
  • Paper Records

For business owners, the key is to identify their weakness when it comes to protecting cardholder data. Often, applying common sense principles, goes a long way. For instance, if a business accepts credit cards over the phone, how is that cardholder data being handled?

What do I need to do to become PCI Compliant?

When it comes to being PCI Compliant, all businesses are not equal. There are 4 levels of PCI Compliance that is based on the amount of payments a business processes in a 12-month period. A business needs to understand their level of PCI Compliance an ensure they meet those requirements.

The following is a simplified breakdown of the 4 Levels.

Level 1 –          Process over $6M in transactions each year

Level 2 –          Process between $1M and $6M transactions each year

Level 3 –          Process between $20K – $1M transactions each year

Level 4 –          Process less than $20K transactions each year

Once a Level of Compliance is determined, a business must complete the relevant PCI DSS Self-Assessment Questionnaire (SAQ), provide evidence that a vulnerability scan, offered by a PCI SSC Approved Scanning Vendor, was passed and complete and submit the Attestation of Compliance to their processor.

Even though being PCI Compliant is not required by law and can often be a time-consuming endeavor, a business risks major damage to its brand, its reputation and a multitude of fines in the event customers’ data is breached. Very simply, being fully PCI Compliant is much less costly than the alternative.

The state of PCI DSS Compliance

SecurityMetrics, a leading provider in data security and compliance, performed a forensic study on the state of PCI DSS Compliance for 2016. The following are some of their findings.

  • 1,021 – number of days of vulnerability for an average organization
  • 163 – average number of days’ cardholder data was captured
  • 39% – organizations breached through insecure remote access
  • 22% – organizations breached due to weak passwords
  • 56% – organizations who had memory-scraping malware installed on their system

Easing the PCI Compliance Burden

At Clarity EPS, easing the burden of PCI Compliance is just another means of achieving our goal of providing business owners with solutions that help them process credit card transactions more efficiently, securely and for less.

Through its partnership with CardConnect, Clarity EPS offers PCI-Validated Point-to-Point Encryption (P2PE) for both retail (card present) and mail order/telephone order (card not present) transactions. So, what does that mean and how does it help a business?

Our P2PE solution removes cardholder data from the transaction cycle at the point of contact, replacing the card number with an encrypted token. Therefore, no cardholder data exists on a business’s system. In the event a breach occurs, hackers will come away very disappointed that they have no access to valuable cardholder data.

Huge Benefit –          using our Point-to-Point Encryption reduces the SAQ to only 26 questions

Our P2PE solution was designed to provide businesses with the highest degree of payment security and significantly reduce the scope of PCI DSS Requirements.

About Clarity EPS

Clarity EPS is a leading provider of payment processing and technology solutions, helping business owners navigate the world of credit card processing. We understand not every business is the same and create custom programs using added value solutions and cutting edge technology. Our focus is on helping businesses process payments in a more efficient, secure and affordable manner. We eliminate the guesswork and provide clear, concise and understandable solutions. Our core values are rooted in honesty, fairness and transparency.

Please visit https://clarityeps.com for more information on our offerings.

Contact: (561) 338-4446 | adam@clarityeps.com | Twitter: @clarityeps