PCI compliance - Do I need it and, if so, how?

Understanding PCI compliance can be a daunting task. What exactly is it? Who needs it? How can I become PCI compliant? Luckily, you’ve come to the right place in order to find out the answers.

by PCI Booking – November 1, 2018

What is PCI Compliance and why is it important?

The PCI council, an organization created by the major credit card companies (Visa, Mastercard, American Express, etc) has defined the Payment Card Industry Data Security Standard (PCI DSS), commonly referred to as “PCI compliance” or simply “PCI”. PCI DSS is a set of security standards, twelve in total, that any organization that accepts, processes, stores or transmits credit cards must follow.

The aim of PCI DSS is to reduce the risk of a data breach involving your customers sensitive data. If customers entrust you, the merchant, with their sensitive data then it’s your responsibility to ensure that adequate security measures are put in place. PCI DSS outlines how you can achieve this through its twelve standards that focused on preventing, detecting and reacting to data breaches.

There are several levels of PCI compliance (levels 1, 2, 3 and 4) – all depending on the number of cards your organization “handles” each year.

  • Level 1: Merchants processing over 6 million card transactions per year.
  • Level 2: Merchants processing 1 to 6 million transactions per year.
  • Level 3: Merchants handling 20,000 to 1 million transactions per year.
  • Level 4: Merchants handling fewer than 20,000 transactions per year.

Do I need to be PCI compliant?

Most likely, yes.

If your business accepts, stores, processes or transmits payment card information then PCI DSS does indeed apply to you. Even if you only accept cards and immediately relay them to a third party and never store them in your system, you will need to become PCI compliant.

While not a legal requirement, failure to comply has a number of damaging and disruptive outcomes such as:

  • Should a data breach occur, considerable fines, potentially reaching millions, are likely.
  • Damage to consumer confidence due to the inability to present a PCI Attestation of Compliance.
  • Without a PCI compliant infrastructure, credit card networks may completely remove their service from you, preventing you from accepting any credit card payments.
  • Many payment processors, as part of their own security review, require for you to be PCI compliant in order to work with them.

How can I become PCI compliant?

When it comes to becoming PCI compliant, there are two distinct methods of achieving it:

1) Building a PCI compliant infrastructure inhouse by following the stages of PCI DSS:

  • Build and maintain a secure network and system.
  • Protect cardholder data with high levels of encryption.
  • Maintain a vulnerability management program.
  • Implement strong access and control measures.
  • Regularly monitor and test networks.
  • Maintain an information security policy.
  • And lastly, undergo an annual review of your entire system, network and hardware by an approved Qualified Security Assessor (QSA).

This is an ongoing, time-consuming and expensive task and, depending on the size and scope of your system infrastructure may require a lot of resources from you.

2) Outsource your credit card capture, storage, processing and transmission to a PCI Compliant third party. Choosing a partner who is fully PCI compliant and can capture, store and transmit payment information on your behalf has huge benefits. Once properly integrated into your workflows, you will no longer directly handle sensitive card informative yourself, which takes you completely out of PCI scope and allows you to maintain the much simpler Self Assessment Questionnaire (SAQ-A).

How can PCI Booking help?

PCI Booking can offer you a PCI compliant level 1 outsourced service and handle, on your behalf, all of your processes that involve credit card details.

Through use of multiple card capturing methods, PCI Booking enables you to collect payment information from your customers without the card details ever reaching your systems. Captured payment data, be that from secure iframe webpages or API endpoints that support integration with third party APIs, is first tokenized and masked prior to reaching your infrastructure, effectively creating a PCI compliant shield around your system.

Once captured, stored cards are both accessible to you, but protected and inaccessible to others. As data breaches become ever more frequent and unprecedented in nature, PCI Booking offers unlimited PCI DSS Level 1 storage.

Of course, capturing and storing credit card information is only one part, you will also need to use them. With PCI Booking, you will get instant and immediate access to dozens of payment processors all through a single, unified API endpoint – thus eliminating the need for individual integrations with each payment processor.

Do you require relaying stored cards to third parties? With PCI Booking, you will have an easy and straight forward proxy to relay your requests to any third party.

___

CUSTOMERS

Stay in Touch

Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new PCI Booking features.