If you are a merchant who accepts credit and debit card payments, you are probably aware of the PCI Data Security Standard (PCI DSS) which is developed and maintained by the PCI Security Standards Council. The PCI DSS applies to every merchant that stores, processes, or transmits credit card data, and it provides a set of requirements for the prevention, detection and reaction to cardholder data security breaches that could affect your business.
If your small business processes credit card transactions under its own merchant account (as opposed to a shared merchant account held by your provider, such as a PayPal or Square account–see this post for a comparison of merchant account types), your merchant account contract requires that you certify your company’s PCI Compliance annually. Though each merchant account provider is different, in most cases you will be charged a non-compliance fee if you fail to complete your compliance validation.
To certify compliance, Level 4 small business merchants (those that process fewer than 1 million transactions per year, of which fewer than 20,000 are e-commerce transactions) are typically asked to complete a Self Assessment Questionnaire (SAQ) and sign a PCI Attestation of Compliance (AOC). The questionnaire you complete is determined by the number of credit card transactions your company processes each year, and the way those transactions are processed (i.e. online payment forms, swipe terminals, phone orders, etc.). As a basic rule, the more exposure your business has to cardholder data, the more comprehensive the questionnaire.
The first time your business goes through the SAQ process it can seem daunting. But, once you understand how to operate your business securely and in a PCI Compliant manner, completing the process in subsequent years is typically a breeze.
However, just as the security threat landscape never stands still, the PCI DSS is constantly refined to keep pace with it—so the requirements for compliance, and the questions in your SAQ, will evolve over time. And this year there is a significant change that will affect most small businesses.
The latest version of the PCI DSS, version 3.2, was released in April, 2016. Starting October 1, 2016 merchants must begin using the new 3.2 versions of the SAQs. The changes will require some policy modifications on the part of small merchants in order to remain in compliance.
Before we get into the changes, let’s review the basics of PCI which is comprised of 6 Core Principles and 12 Requirements, and the basics of selecting the proper SAQ for your business.
Core PCI Requirements
- Principle 1: Build and Maintain a Secure Network and Systems
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- Principle 2: Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Principle 3: Maintain a Vulnerability Management Program
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6: Develop and maintain secure systems and applications
- Principle 4: Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
- Principle 5: Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Principle 6: Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security for all personnel
If you really want to get into the nitty-gritty of PCI, read the full PCI DSS version 3.2. For a more compact read, try the PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.
SAQ Basics for Level 4 Small Businesses
The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools intended to assist merchants with self-evaluating their compliance with the PCI DSS. The way your company handles credit card data, and processes credit card transactions, determines the portions of the PCI DSS that apply to your operations.
The simplest version is the SAQ-A, which contains 22 questions. The most comprehensive SAQ-D contains over 300 questions. The best way to reduce the scope of the SAQ you need to use, is to use a PCI Compliant service provider (like PaySimple) to handle as much of the process as possible.
The following lists all the SAQs, and the small business environments applicable to each:
Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. (Not applicable to face-to-face channels.)
NOTE: Most PaySimple merchants fall into this category.
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises. (Applicable only to e-commerce channels.)
Merchants using only: Imprint machines with no electronic cardholder data storage, and/or standalone, dial-out terminals with no electronic cardholder data storage. (Not applicable to e-commerce channels.)
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. (Not applicable to e-commerce channels.)
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. (Not applicable to e-commerce channels.)
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. (Not applicable to e-commerce channels.)
Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. (Not applicable to e-commerce merchants.)
For Merchants: All merchants not included in descriptions for the above SAQ types.
Selecting the appropriate SAQ can be complicated. If you’re unsure, the best course of action is to ask your merchant account provider, or your payment processing service. Also helpful is the new PCI 3.2 Self Assessment Questionnaire Instructions and Guidelines document.
Important Changes to PCI SAQ-A for Small Businesses
PCI 3.2 is not a radical departure from the previous versions, but along with more stringent requirements for service providers like PaySimple, and changes to all of the SAQs, it is notable for the new enhanced security policies and procedures required for merchants certifying compliance using the SAQ-A.
Previously, the SAQ-A included questions regarding secure storage and destruction of cardholder data on paper (PCI Section 9), and for company security policies and procedures around protecting cardholder data (PCI Section 12). The new 3.2 version of SAQ-A, adds requirements (and questions) for securing systems by removing default accounts and passwords (PCI Section 2), and implementing strong system access controls (PCI Section 8). It also adds the requirement to implement an incident response plan (which is triggered if any cardholder data is compromised).
Specifically, these changes require that:
- All default passwords are changed prior to deploying a system or device (such as a wireless router).
- Any unnecessary generic or default User accounts are removed or disabled prior to deploying a system or device.
- User IDs and/or Passwords are not shared for any reason.
- All system access requires at a minimum a User ID and Strong Password
- Passwords must at a minimum have 7 or more characters and contain at least one letter and one number.
- All access is immediately terminated when an employee or contractor leaves the company.
- An incident response plan must be in place.
A Simple PCI Compliance Plan for Your Small Business
The new SAQ-A requirements for User accounts, User IDs, and passwords have long been best practices, and chances are you are already following them—so no operational changes will be required to achieve compliance. At worst, you’ll simply need to document what you are already doing. (If you are not properly securing user accounts, now’s the time!)
The incident response plan may be new to you. However, having a plan in place to address a data breach is an invaluable tool should one occur—as you will likely be in panic mode, and having a document of steps to refer to will not only be helpful but also calming. This too, is merely a matter of documentation.
If you have never addressed PCI for your small business, you have some work to do. But, all it really boils down to is creating policies and procedures for your company that meet PCI Requirements and following those policies and procedures.
This sample small business security policy, which includes an incident response plan, was designed for PaySimple merchants. However, with a few tweaks it is applicable to any small business that outsources all of its payment processing activity and that does not store any credit card data (or stores it only on paper kept in a locked location). Feel free to use it as the basis for creating your own policies and procedures.
Helpful PCI Resources for Small Businesses
The PCI Security Standards Council understands that PCI can be complicated for small businesses, and it wants to help. That’s why it created the PCI Payment Protection Resources for Small Merchants series:
- Guide to Safe Payments
Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help. Available in spiral-bound format too – click here to order.
- Common Payment Systems
Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.
- Questions to Ask your Vendors
A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.
- Glossary of Payment and Information Security Terms
Easy-to-understand explanations of technical terms used in payment security.
Also available is the PCI Awareness Training course —a free offering that provides a beginners overview of the PCI DSS, and how it should be implemented to create a secure business environment.
Finding PCI Compliant Service Providers
As noted above, the best way to limit the amount of time and effort your small business spends on achieving and certifying PCI Compliance is to outsource as much of the process as possible. There are a number of service providers, like PaySimple, that offer payment processing services as part of a larger service commerce suite, or that offer stand-alone payment processing services.
In order to maintain your own PCI Compliance you MUST use a PCI Compliant service provider. Regardless of what a salesperson tells you, there are only two ways to be certain that a provider is PCI Compliant:
- The provider is on the Visa Global Registry of Service Providers. (PaySimple is there!)
- The provider can give you a signed AOC for SAQ-D for service providers. (Typically for very small service providers.)
If you can’t get one of these two confirmations, look elsewhere.
The Importance of PCI Compliance
The PCI DSS is designed to provide a set of policies and procedures that will help companies of any size avoid data breaches. And if you’ve kept up with the news at all, data breaches (of credit card numbers and other financial account information, as well as other Personally Identifiable Information (PII)), are a huge concern.
According to the Privacy Rights Clearing House:
- 4,737 Data breaches have been made public between 2005 and 2015 resulting in 896,107,177 Compromised Records.
- 1,259 Data breaches of businesses have been made public between 2010 and 2015 resulting in 304,985,035 Compromised Records.
- 140 Data breaches of retail businesses were made public between 2013 and 2015 resulting in 105,294,224 Compromised Records. These include well-known brands including Target, Walgreens, and Adobe as well as local businesses.
While PCI Compliance will certainly not prevent all data breaches, it is a great place to start—and an even better place to exceed.
The first step is to spend some time thinking about how your business handles financial information and payment processing. Then create policies and procedures to help you implement the most secure environments possible. Finally, follow those policies and procedures; make sure your team understands the importance of following them; and make sure you select partners that are as committed to security as you are.