As the world becomes more and more connected and more technology is used to drive even more payments every day, businesses, processors, and service providers are increasingly becoming a target of malicous attacks from criminals intent on stealing credit card information that they can sell or use to purchase goods and services fraudulently.
In an effort to curb this growing threat, Visa, MasterCard, Discover, American Express, and JCB joined together to create the PCI Security Standards Council (PCI SSC) in 2006. (PCI stands for Payment Card Industry.) The PCI SSC was charged with creating and managing a universal set of standards that can be applied to all aspects of the payments ecosystem to ensure the security and integrity of payments. The card brands (i.e. Visa and MasterCard) then take these standards and decide exactly how to require and enforce them. Today, validating compliance with PCI standards is a required condition of every business, software, processor, and hardware company any way involved in transacting payments of credit and debit cards with their brand name on them.
While the PCI SSC has developed and published a number of standards and guidelines, two are particularly applicable to everyday businesses, developers, software companies, and service providers: The PCI Data Security Standard (PCI-DSS) and the Payment Application Data Security Standard (PA-DSS).
It is very important that business owners, managers, and developers understand these standards at a basic level, as failure to abide by them will likely result in penalties, fines, and could lead to a catastrophic data breach that typically results in bankruptcy.
The information on this website is not intended to be an authoritative guide to achieving PCI compliance and these suggestions, if followed, by themselves offer no assurance that cardholder data is protected. The intent of this information is to provide a beginning overview of the complex world of PCI compliance and data security by explaining some basics and calling attention to common areas of trouble that should be given attention. There are no guarantees that this information is 100% accurate or up-to-date. The only way to truly validate PCI Compliance is by following the process outlined by your payment processing provider and integrating secure best practices into everyday operations.
PCI Compliance, and data security in general, is not something that can be achieved and proven at a single point in time and then forgotten about until the next time it needs to be proven again. True security requires constant, 24/7 awareness and diligence throughout any areas of operations that come in contact with personal, private, or sensitive information that, if compromised, would damage your businesss or your customers.
Full detail and official standards can be found on the PCI SSC website, http://www.pcisecuritystandards.org.
As much as encouraging awareness about data security is a positive thing, it is unfortunately being used as the basis for numerous scams and exploitations of business owners. This isn't made any easier with how sophisticated, complex, and fast-moving compliance can be.
As a general rule of thumb, if someone walks in and tells you that the sky is falling unless you buy something from them, in all likelihood their claim is false and they are trying to misrepresent PCI in order to trick you into giving them money. Every day, businesses across the country are thrown into a false panic thinking they need to spend thousands of dollars on new equipment or software when, in reality, that is completely false, regardless of how specific or general the claim is. Having said that, there may be times when action or upgrade IS required on your part in order to mitigate an outstanding vulnerability or liability, such as operating on a device or software that is known to be easily compromised. However, these notifications should be formal and professional and come from your processing provider, such as AGMS, along with assistance and specific instructions to alleviate the issue with the smallest possible cost and impact to your business.
The PCI-DSS applies to all businesses in America who process credit card transactions, and the card brands, processors, and banks require that all businesses validate their compliance to the PCI-DSS on an annual basis. More on this standard, a summary of its main points, and what it means to validate compliance can be found in the PCI-DSS tab.
The PA-DSS is designed to help software vendors and developers build and maintain secure payment applications. Any payment applications - including POS Systems - which transmit or store cardholder data must be reviewed and validated by a specialized third party firm in order to follow the PA-DSS. More on this standard, a summary of its main points, and what it means to validate compliance can be found in the PA-DSS tab.
All PCI standards center around enforcing the following set of data requirements when it comes to storing and transmitting sensitive information.
| Type of Data | Classification | Transmission | Storage |
|---|---|---|---|
| Cardholder Name | Cardholder Data | Must be encrypted | Must be encrypted |
| Credit Card Number (Primary Account Number, PAN) |
Cardholder Data | Must be encrypted | Must be encrypted |
| Expiration Date | Cardholder Data | Must be encrypted | Must be encrypted |
| Full Magnetic Stripe Data (Track Data) |
Sensitive Data | Must be encrypted | PROHIBITED |
| Card Verification Code (Card Verification Value, CVV, CVV2, CVC, CVC2, CID) |
Sensitive Data | Must be encrypted | PROHIBITED |
| PIN Number | Sensitive Data | Must be encrypted | PROHIBITED |
The term "scope" is used to define how exposed a business or application is to the threat of a data breach that would compromise cardholder data. For example, if two computers store credit card numbers those computers and any individuals that have electronic or physical access to them would be considered "in scope" and need to be tested against the PCI requirements to make sure that the cardholder information is adequately secured.
The best way to minimize risk and cost is to minimize scope. The less data stored and transmitted, the less there is to secure, and the less there is that can be stolen.
As more and more high profile breaches occur, such as with Target, Home Depot, TJ Maxx, Sony, and Heartland to name a few, the more business owners and developers alike are looking for ways to avoid PCI scope as much as possible. The AGMS Gateway provides a number of tools to facilitate this wise practice, including Hosted Payment Pages to outsource the collection of payment methods to our PCI secure service, the Customer SAFE to serve as a secure repository for sensitive cardholder information, and encrypted card swiping where card information is encrypted inside of the swiper hardware itself before ever being transmitted to another system in a way that can only be decrypted by the AGMS Gateway. For assistance in determining the best way for your business, app, or service to reduce or eliminate PCI scope, contact AGMS for a consultation from one of our PCI advisors.
As with any business risk, it is prudent to consider mitigating that risk by obtaining insurance coverage. Many credit card processors offer "breach protection coverage" as part of their service, charging an additional $15-$50 per month to the business for the benefit. While they do offer some protection for businesses who may otherwise have none, their amount of coverage usually ranges between $25,000 - $50,000 and the fine print can reveal concerning gaps in exactly what kinds of losses they will cover. For example, they may cover fines from Visa/MasterCard but not lawsuits, they typically only will cover a single breach and then the coverage becomes invalidated, they may only be valid if you've successfully validated PCI Compliance according to their specific process, or they may only cover breaches that began from the time that you validated PCI Compliance and nothing that happened prior.
As most of these processor-provided coverages are more about marketing and justifying the collection of hundreds of millions of dollars in unneccessary fees from their unsuspecting clients, we recommend that anyone who wants to ensure that they are properly covered in the event of a breach works with their insurance agent to determine if it's included as part of pre-existing business insurance coverages, and what the cost of a customized specialty policy would be if it isn't. For any developers or service providers who have a product or service which transmits or stores cardholder information, we highly recommend that sufficient coverage is secured as software vendors and service providers are held 100% liable in the event that their product or system is the cause of a data breach by processing banks, card brands, and the legal system.
The PCI-DSS applies to all businesses who process Visa, MasterCard, Discover, American Express, or JCB transactions as well as any service providers who handle cardholder data, sensitive data, or transaction processing on their behalf.
The full PCI-DSS Standard can be found on PCI-DSS section of the PCI SSC website, which goes into the specifics of each requirement and subrequirement.
For a typical small business owner, the standard can be very overwhelming and contain a lot of requirements that do not apply to their kind of business. This same standard applies to the largest companies like Walmart and Apple just the same as it applies to a part-time hair stylist running a few transactions per month. The key to understanding and complying with the PCI-DSS is to first focus on reducing scope by storing and transmitting cardholder data as little as possible. When handling that information is necessary, as much as possible use trusted, certified providers, software, and systems who handle the compliance for you - effectively outsourcing your payments security.
If you are a business concerned about how to comply to this standard, contact the AGMS corporate office for the best assistance. AGMS has designed and developed unique compliance validation questionnaires with business owners in mind that are straightfoward, approachable, and easy to answer. After spending 5-10 minutes on the questionnaire, any areas of concern are quickly revealed and AGMS will ask further questions specific to those areas and assist in determining the quickest and most inexpensive way to ensure that both customers and your business is protected.
If you are a developer, vendor, or service provider, your understanding of the full PCI-DSS at a detailed level is more important. By using your product to handle payments, business owners will be trusting you to keep their business and customers secure and you are exposed to liability in the event of a breach of your system or software. AGMS can provide guidance, however depending on the manner in which your system or software transmits and stores cardholder data, retaining an outside security firm for assistance may be wise or even necessary.
We strongly encourage the following practices to be included in any internal data security program or secure coding policy on the path to PCI compliance:
The following is a high-level overview of the 12 PCI-DSS requirements, designed to encourange and enhance security of cardholder data.
| Focus | |
|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration that protects cardholder data. |
| 2. Do not use vendor-supplied default passwords or other security parameters. | |
| Protect Cardholder Data | 3. Protect stored cardholder data. |
| 4. Encrypt transmission of cardholder data across networks. | |
| Maintain a Vulnerability Management Program | 5. Protect all systems against malware and regularly update anti-virus software or programs. |
| 6. Develop and maintain secure systems and applications. | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data on a need-to-know basis. |
| 8. Identify and authenticate access to system components. | |
| 9. Restrict physical access to cardholder data. | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data. |
| 11. Regularly test security systems and processes. | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel. |
Each major card brand has implemented its own program to enforce data security according to its own requirements using the PCI-DSS as the basis for the evaluation.
As most businesses don't have internal security departments and third party auditors, the PCI SSC manages a set of Self-Assessment Questionnaires (SAQs) that can be used by businesses to test their compliance with PCI standards most applicable to their environment. There are multiple SAQs, each designed for a different kind of business based on the different ways that they accept and store payments.
Another potential requirement for businesses is to perform and pass a quarterly Network Scan that's been performed by a PCI Approved Scanning Vendor, or ASV. An ASV scan is a typical network vulnerability scan that's been shown to meet certain PCI requirements for thoroughness and effectiveness, and its considered passed when significant vulnerabilities have been resolved. Whether this is required or not, AGMS strongly encourages this as a best practice for any businesses utilizing hosted servers that are publicly accessible to store or transmit cardholder information, such as an ecommerce website.
Larger businesses, typically those processing well over 1 million transactions per year, may be required to have an outside Qualified Security Assessor (QSA) come in to perform a third party assessment and issue an annual Report on Compliance (ROC) that further validates the security of cardholder data. This is a method reserved usually for only the largest corporations, and is included in this documentation as QSAs and ROCs are often mentioned in PCI SSC materials.
While every business is held to the same PCI standard, whether they are a small 2 person cafe or Walmart, the requirement as to how rigorously they need to validate varies according to their size and how they accept cards determining what Level they fall into. Ultimately, validation requirements are set by the processing bank, such as Central Bank of St. Louis, Wells Fargo, or Fifth Third Bank, however to get a general idea review the levels defined on the Visa CISP page.
Smaller businesses with simple, straightforward operations may only be required to fill out a very short 2-3 page questionnaire, while more complex technology-driven businesses will have a longer questionnaire and may require some additional validation methods, such as a network scan.
The PA-DSS applies to all payment applications and software that handle cardholder data, sensitive data, or transaction processing of Visa, MasterCard, American Express, or Discover transactions on behalf of businesses.
Among the many requirements of the PCI-DSS is one that states that all applications that store, process, or transmit cardholder data needs validated against PA-DSS, PCI-DSS, or both and configured securely. Using a PA-DSS compliant validation in itself does not make a business PCI-DSS compliant, but it does make it much easier to validate that the application is secure and satisfy those related requirements.
The PA-DSS specifically applies to applications sold in an "off-the-shelf" manner, where a single product is resold multiple times to many customers. Hosted services and custom developments do not fall under PA-DSS, but do need to validate against the PCI-DSS.
For applications, services, and software that do not store, process, or transmit cardholder data, no PCI requirements apply. AGMS strongly encourages developers to utilize our tokenization, encryption, and hosted payment features to eliminate their software and services from scope entirely. It not only eliminates the risk and liability, but saves the significant cost of achieving and maintaining PCI-DSS and/or PA-DSS validation.
For example, rather than a hosted ecommerce service collecting customer payment information with their own form and then transmit that data through their server, use the AGMS hosted payment pages. The service continues to function as normal, but when it comes time to collect a credit card a single-use, dynamically generated AGMS hosted payment page is embedded in an iframe or linked to an external window. Once the information is submitted by the customer, the page will redirect back to a specified page to confirm the transaction so that the customer can continue. As full transaction details are available via API, and an HPP can even be configured to automatically save the customer in the Customer SAFE for future use, the AGMS Gateway simply becomes an extension of the system drastically enhancing security and reducing PCI scope with little change to function.
To become PA-DSS validated, a developer or vendor must retain the services of a Payment Application Qualified Security Assessor or PA-QSA. The PA-QSA ensures that all requirements of the PA-DSS have been met, that a satisfactory PA-DSS Implementation Guide is available for customers, integrators, and resellers to know how to deploy and configure the application in a compliant manner, and upon successful validation issues a Report of Validation or ROV.
Validated payment applications are listed publicly on the PCI SSC website's List of Validated Payment Applications so that any business, service provider, or processor can verify that the exact make, model, and version of applications being used are compliant.
From time to time, whether an application is validated or not, specific makes, models, and versions of software are identified and confirmed as being vulnerable to attack and compromise. These applications are tracked on a List of Vulnerable Payment Applications, which is held confidentially by banks and processors. When a business is identified as using a vulnerable application, it is confidentially notified and given assistance in meeting a card brand mandated deadline to replace the application with a validated application.