Important Terms:
PCI: Payment Card Industry
PCI DSS: Payment Card Industry Data Security Standard
SAQ: Self-Assessment Questionnaire
AOC: Attestation of Compliance
MOTO: Mail Order/Telephone Order
POS: Point of Sale
Understanding PCI Compliance:
- As a FusionPay customer, you are responsible for securely storing, processing, and transmitting cardholder data.
- The PCI Data Security Standard (PCI DSS) is developed and maintained by the PCI Security Standards Council to provide a set of requirements for the prevention, detection and reaction to cardholder data security breaches that could affect a business.
- To become PCI compliant, a business needs to implement and maintain a series of requirements that create a secure payments environment, protecting your customers and maintaining privacy for their payment card data.
- To certify compliance, complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) annually.
PCI Compliance Levels:
- To become PCI compliant, your business needs to implement and maintain a series of requirements that create a secure payment environment, protecting your customers and maintaining privacy for their payment card data. To certify compliance, most merchants (except extremely large ones) must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) annually.
- The size of your business and the number and type of transactions you complete each year determines the level of compliance you must maintain and the complexity of the SAQ you must complete. Overall, there are four levels of PCI compliance.
- Small businesses processing fewer than 1 million transactions per year are considered Level 4 merchants; as long as fewer than 20,000 of those transactions are classified as e-commerce (your customers enter transactions themselves on a website). If your credit card processing exceeds those levels, your business falls into a higher compliance level.
- How you process your transactions is also important. There are different types of SAQ for merchants who process exclusively card-not-present MOTO (mail order/telephone order) transactions, e-commerce (web) transactions, card-present POS (Point of Sale, this includes using a swipe device on a mobile phone or tablet) transactions, or a combination of the three.
PCI Program Benefits:
- The PCI program provides your business with an electronic solution to attest to your annual PCI status, providing you with the ability to perform vulnerability scans if necessary.
- You can review your compliance status and annual renewal date at any time.
- Upon completion of PCI, you will have access to a validation certificate you can provide to all of your customers that you take the security of their credit card information seriously.
Maintaining PCI Compliance:
- Only process credit cards using a PCI Compliant Service Provider or PCI Approved Software.
- Always protect cardholder data. This means:
- Encrypting ANY electronic storage of full credit and debit card numbers.
- Any paper document containing a full credit card number must be kept in a secure location (locked file drawer/safe) when not in use.
- Only employees with a business need should have access to credit card numbers.
- Prohibit sharing of User Ids and Passwords and use of Group User accounts.
- Require strong passwords (7+ alpha-numeric characters) for all system access.
- Immediately disable access for all terminated employees.
- Always protect cardholder data. This means:
- Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default User accounts and passwords.
- Create a security policy for your business that addresses all aspects of the PCI DSS.