When your business – no matter what its size – began accepting credit card payments, it immediately became a potential target for data thieves.
Much more is at risk than your customers’ sensitive information, however. If you aren’t employing the best industry practices to protect that data, your business could face fines, lose the ability to accept credit and debit card payments, and jeopardise its credibility.
To help protect consumers’ credit card information from data thieves, the Payment Card Industry (PCI) Security Standards Council produced data security standards (DSS) that businesses must follow to stay compliant.
The cost of non-compliance can be astounding. The bank that processes your payments could be fined from $5,000 to $100,000 per month by the credit card companies – amounts likely to be passed along to you – until the business is following the requirements.
Your bank also could raise the fees it charges to process your business’s transactions, or stop handling them altogether – check your account agreement with the bank. Your business also might have to cover the cost if the bank has to issue new cards to customers whose data has been compromised – and who could become former customers if there has been a data breach. Finally, your business also may be liable for losses due to fraud and other financial losses.
Question 1: What are the PCI compliance levels and how are they determined?
There are four levels of PCI compliance as determined by Visa and MasterCard, which are based on the transaction volume – including prepaid, credit and debit – over a 12-month period. Merchants that have been affected by a security breach that resulted in compromised card data may be increased to the next level.
Merchant level description:
• Any merchant processing more than $6m Visa and/or MasterCard transactions per year.
• Any merchant processing $1m to $6m Visa and/or MasterCard transactions per year.
• Any merchant processing $20,000 to $1m Visa and/or MasterCard e-commerce transactions per year.
• Any merchant processing less than $20,000 Visa and/or MasterCard e-commerce transactions per year.
• All other merchants processing up to $1m Visa and/or MasterCard transactions per year.
Question 2: My business has multiple locations; is each location required to validate PCI compliance?
Best practice would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by several MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation (versus only the identified MID).
Question 3: Does having an SSL certificate make me PCI compliant?
No, a secure sockets layer (SSL) certificate is just one piece of the puzzle towards becoming PCI compliant. You must establish solid encryption of the cardholder’s data during transmission over open, public networks. Furthermore, you need to validate that the website operators are a legitimate, legal organisation.
Question 4: What is a vulnerability scan?
A vulnerability scan is an automated tool that conducts a nonintrusive scan of a merchant or service provider’s system to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider.
The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Approved scanning vendors (ASVs), such as ControlScan, do not require the merchant or service provider to install any software on their systems, and no denial-of-service (DoS) attacks will be performed.
Question 5: Are debit card transactions in scope for PCI?
Any debit, credit and prepaid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard and Visa International – are within scope.
Five common myths
Myth 1: I’m a small merchant who takes only a handful of cards, so I don’t need PCI
Merchants are divided into four categories based on the number of card transactions handled in a 12-month period, but all must meet PCI requirements regardless of their size-level designation.
Smaller merchants do face fewer validation requirements, however. For a Level 4 merchant – one processing fewer than 20,000 e-commerce transactions or up to one million transactions overall – an annual self-assessment questionnaire is recommended and a network scan by an approved vendor is to be performed quarterly if applicable, but the requirements of the bank handling the merchant’s transactions still must be met in order for the business to be in compliance.
Myth 2: PCI applies only to e-commerce companies
Whether your business handles one transaction or hundreds of credit/debit card purchases per day, it is subject to the PCI-DSS regardless of whether the transactions are electronic, in person or by phone. The requirements apply to your business if any customer ever pays you directly using a credit or debit card.
Myth 3: I can delay until my business grows
As noted above, a business of any size that processes a credit or debit card transaction is subject to PCI compliance. If you think your business is too small to attract a hacker, consider this: About 60% of cyberattacks in 2015 targeted small and medium-sized businesses (SMEs), which in general have smaller and/or less sophisticated IT security staffs and resources than big corporations.
Overall, 42% of small businesses surveyed in the US by the National Small Business Association (NSBA) reported having experienced a cyberattack. Among types of attacks, the theft of credit card information was second behind a general computer hack. The firms whose business bank accounts were hit suffered an average of more than $32,000 in losses, and 42% of small businesses said it took them more than three days to resolve a cyberattack issue.
Myth 4: Outsourcing card processing makes us compliant
Relying on an outside vendor does not ensure that your business is PCI compliant. Outsourcing could reduce your risk and make it easier to prove that your business is compliant, but much like with paying your taxes to the relevant national authority relying on an external “expert” does not relieve your accountability.
Myth 5: PCI compliance is an IT project
Any temptation to shift the entire burden of PCI compliance onto the IT staff could prove costly. While IT can set up, run and test programmes, compliance is an ongoing task. Rules change and regular assessments are needed, and with so much at stake from financial and reputation standpoints, your entire organisation is affected.
In a world where connectivity is on the rise and transportation costs have been falling, it’s a paradox that over the last decade there’s been a decline in trade as a share of economic activity. At the same time, there has been a significant slowdown in technology investment across the trade finance industry – the only exception being the technology needed to support regulatory compliance and risk management.
Tomorrow’s treasurer will undoubtedly need to be tech savvy – as will every senior finance professional. Importantly, they will also have to have the ability to re-imagine their KYC, regulatory and compliance ecosystem if they are to keep up with the evolving regulatory environment and have access to the liquidity and services they require when and where they want them.
Data will become the "centre of gravity" for the new banking business model under PSD2, providing consumers are willing to share their data, argues Dick Oskam, head of transaction services, ING Wholesale Banking.
The Classification of Financial Instruments (CFI) Code is an essential component of compliant transaction reporting under MiFID II, argues Mark Woolfenden, managing director of Euromoney TRADEDATA.