PCI Compliance Primer for ISVs

If your software is used in applications where credit cards are being accepted as payment, you need to understand the security requirements of PCI. Here's a primer.

Software developers unfamiliar with the nuances of incorporating credit card processing into their software might wonder what the term “PCI compliance” is when they hear it and be confused about why it matters for their business. PCI compliance represents adhering to the Payment Card Industry Data Security Standard (PCI DSS), which has been endorsed by all major credit card providers. This set of standards helps to maintain security for merchants that accept credit card payments, and any merchant that accepts, transmits, or stores payment card data needs to be compliant.

For a more, in-depth explanation on “what is PCI compliance,” read on below:

PCI compliance helps to deter and prevent credit card fraud, which protects your customers and your business in a nation that is vulnerable to fraud risks. The United States is responsible for more than one-third of global credit card fraud. While the U.S. generates only 22.9 percent global purchase and cash volume, it accounts for 38.7 percent of total payment fraud. Frauds threats aren’t just external — they can happen in your business by your very own employees.

Ensuring your payment processing methods are PCI compliant helps your business stay legal and helps safeguard you from a costly breach. Here’s what to be aware of:

What Are the PCI Standards?

There are 12 basic requirements your business payment processing must meet in order to be considered PCI compliant. Any merchant services provider you use should follow all these to ensure compliance.

  1. Protect cardholder data with an effective firewall configuration.
  2. Ensure all system and security passwords are unique, and never use vendor-supplied default passwords.
  3. Ensure cardholder data is protected.
  4. Encrypt cardholder data when it is transmitted across open and public networks.
  5. Employ effective, updated anti-virus software.
  6. Make sure systems and applications are developed and maintained for security.
  7. Restrict cardholder data sharing within the business.
  8. Ensure each employee has a unique ID for computer access.
  9. Restrict physical access to cardholder data.
  10. Regularly monitor network resource access.
  11. Install, test, and maintain security systems.
  12. Create and maintain an information security policy.

All of these requirements seem like common sense for a business. They’re even simpler to implement when you use a payment processing provider that does all the work for you. You can be assured that payment security is maintained, and work on other aspects of your business.

PCI Compliance Is Non-Negotiable

PCI compliance applies to all merchants with physical stores and point-of-sale machines and merchants that process payments online and anywhere else. Besides credit card PCI compliance, any debit cards that can also be processed as credit cards are required to be protected.

If one of your merchants suffers a breach, and you do not meet PCI compliance standards, they may be required to pay significant fines to banks, as well as pay hefty compensation for customers, merchants, or other entities.

PCI compliance elements are also legally binding, in some cases. For example, if you store customer data, you may be violating state and federal privacy laws. Customer data that may not be stored includes unencrypted credit card numbers, card verification values, and PIN numbers. Even if a violation has not taken place, if you are storing data like this in a spreadsheet or backup, your business may be breaking the law.

How Merchants Maintain PCI Compliance

To ensure a merchant stays compliant, they should request a certificate of compliance from their merchant services provider at least once a year. Everything they use to process payments, from their point of sale machines to their e-commerce store, must be PCI compliance to ensure they meet the standards.

Because they’ll be creating and updating an information security policy as part of their PCI compliant payment processing, they should make sure all employees have access to this document. Proper training and follow-ups should be implemented to ensure the mastery of PCI compliance within their business. Upload a living document of their policy to a central location, so it is always accessible for their team.

Your business can regularly conduct security tests that mimic the behavior of fraudsters, so that you can identify and quickly fix any problems. Connect your IT team with your merchant services provider, so they can work together to create an optimally secure system.

The costs involved with creating, testing, and maintaining PCI compliant payment processing for your business are worth the protection that is offered. If your merchant does suffer a breach, and you were not following PCI standards, you may suffer a significant financial loss, not to mention the trust of your customers and tarnishing of your business reputation. For merchant services that ensure your business stays PCI compliant, contact us

North American Bancard