When it comes to the PCI DSS compliance discussion with your clients, things can get confusing fast. Merchants have many voices telling them various bits of information about their compliance—the bank, the payment processor, the POS solution provider, the POS integrator and so on. Most of the time, the information provided is out of context, incomplete or flat-out incorrect. As their IT service provider, you can play a central role in cutting through the confusion and providing a clear path to compliance.
Oftentimes, the best way to optimize your client relationships is getting back to basics. The following PCI DSS reminders and suggestions will help you effectively step in as the technology advisor and resource your customers will rely on to clarify the complexities of the IT channel.
PCI DSS Facts
- PCI DSS is the Payment Card Information Data Security Standard
- It is governed by PCI SSC, the Payment Card Information Security Standards Council
- The PCI SSC was founded by five global payment brands: American Express, Discover, JCB International, Mastercard, and Visa
- Enforcement of compliance and non-compliance penalties are carried out by the individual payment brands, not the Council
- PCI SSC has two priorities, those simply being:
1. Help merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data
2. Help vendors understand and implement standards for creating secure payment solutions
- PCI Compliance is actually comprised of three security standards:
1. PCI DSS for Merchants and Service Providers
2. PCI PA-DSS for Payment Application Software Developers
3. PCI PTS for Manufacturers of PIN Entry Devices
If you accept credit card payments, you are on the hook.
It is likely that some, if not all of your clients are required to meet PCI DSS requirements. PCI DSS applies to all organizations or merchants that accept, transmit or store cardholder data, regardless of size or number of transactions. PCI DSS also applies to all payment methods including, e-commerce, mail and telephone orders, and brick-and-mortar transactions. This means restaurants, retailers, hotels, doctors’ and lawyers’ offices, as well as small and large businesses alike all need to stay on top of their compliance status.
The benefits of complying far outweigh the risks of non-compliance.
The Data Security Standard (DSS) should be considered just that, a “standard”—a minimum requirement to having the privilege to handle and process sensitive credit card data. Complying with the standard means your clients’ systems have a baseline security strategy in place. This helps their customers feel confident and secure doing business with them. In turn, you will see that loyalty from your clients. Compliance with PCI DSS can also offer indirect benefits—for example, your clients will be better prepared to comply with other relevant regulations or security functions to harden their security posture.
Compliance with PCI DSS also acts as a solid baseline for a corporate security strategy and will help you identify ways to improve the overall efficiency of your clients’ IT infrastructures.
If your clients are not compliant, it could lead to disastrous consequences, for them and for you. If a client’s business experiences a data breach, it has the potential to hurt their business by incurring fines, loss of revenue, or loss of customer trust due to local press of a breach. This could cause your client to lose faith in you as their service provider. Other negative consequences can also include lawsuits, insurance claims, cancelled accounts, and payment card issuer fines.
You might be asking yourself, "How can I protect my clients when I am not a PCI DSS compliance expert myself?" Don’t worry, you don’t need to be an expert to help ensure your clients are PCI compliant.
Get started with a simple assessment or checklist.
You and your clients should take advantage of this five-minute interactive PCI Compliance Quiz. This quiz will help you and your clients learn which of the 12 PCI category requirements you need to give extra attention to gain compliance. The SAQ (self-assessment questionnaire) includes up to 302 questions a merchant must answer to verify PCI DSS compliance. Learn how to simplify the process and be audit-ready at all times.
If you find your clients are not PCI compliant and you would like to help them reach compliance, we are here to help. EventTracker and Continuum have forged a strong partnership to bring you Detect & Respond - Network and Compliance to ensure you maintain auditor-ready artifacts so you and your client are always ready. We provide both summary and detailed reports for not only PCI DSS, but also HIPAA and NIST 800-171 regulations. Want to take a deeper dive into what PCI compliance entails? Check out this solution brief.
By Steve Lowing
By Meaghan Moraes