You might notice that the vast majority of the merchant types above describe businesses that don’t store credit card information themselves. Figure out which designation describes how you process credit card payments, and then take the appropriate questionnaire. You can do that using this PCI-provided table. But there are multiple self-assessment questionnaires, so you need to determine which one best applies to your business. The best way to determine your business’s obligations is to take the self-assessment on PCI’s website. However, your obligations under PCI vary dramatically depending on what type of business you have and how you handle payments. The short answer is yes! If your business accepts card payments-whether in person, online or over the phone-PCI applies to you. So what kind of data are we talking about? Cardholder data under PCI includes the card number, which PCI calls the “primary account number (PAN).” It can also mean the PAN, as well as the cardholder’s name, the card’s expiration date, or the security code. Unsurprisingly, service providers can also be merchants since they too accept cardholder data as payment. This also includes companies that provide services that control or could impact the security of cardholder data.” So if a merchant uses Stripe or PayPal to handle e-commerce payments, those are service providers, but the category can also include your website hosting provider, your identity and access management (IAM) platform, and any other service that touches this data. ![]() Meanwhile, PCI defines a service provider as an entity that is “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. It’s also important to note that debit cards, if they bear the logo of the major brands, also fall under the rules. ![]() PCI DSS defines a merchant as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC.” So while the term “ merchant” can evoke a traditional idea of retailers, the term here is much broader. In the case of brick-and-mortar merchants, for instance, they point to Wi-Fi, in-store cameras, and physical terminals as threat vectors that hackers can use to steal data. Keep internal systems as simple as possible.Regularly audit and update their security measures, such as encryption, password changes, etc.Outsource credit card processing and data storage to trusted service providers.PCI helps to minimize risk by imposing lighter standards on merchants who do a few key things: Meanwhile, PCI also helps craft guidelines for the service providers that handle cardholder data, minimize their exposure. PCI OverviewĪll PCI rules relate back to a central goal: to encourage merchants to store as little credit card information as possible, so they are less vulnerable to data breaches and fraud. However, some just tack on the surcharge without giving you anything in return. Many providers that charge this fee include services to make sure your business is PCI-compliant. Banks, in turn, will charge merchants a PCI non-compliance fee and can even stop working with a business altogether.Ĭonversely, most credit card processors/merchant service providers also charge a monthly or annual PCI compliance fee. Credit card companies can issue fines for acquiring banks for noncompliance. However, given the clout of the five major card brands, as well as the credit card processors and acquiring banks, PCI is functionally mandatory. It’s important to emphasize that PCI is not a law. However, the rules aren’t enforced by the council but by the card companies and acquiring banks. The specific standards are written by a council created by the payment companies: the Payment Card Industry Security Standards Council (PCI SSC). ![]() PCI was established in 2006 by Visa, Mastercard, Discover, American Express, and JCB, and it’s been updated periodically since then. Underneath the acronyms, PCI is actually very simple: a set of rules established by credit card companies to ensure that merchants are keeping their sensitive data secure. Here, we’ve created a straightforward guide that cuts through both legalese and technical jargon in order to explain what PCI is and how to determine your compliance obligations. But PCI compliance can become a serious and costly issue, especially if your bank unexpectedly demands that you prove compliance. Many merchants know PCI only as a mysterious surcharge from their credit card processor. The rules (usually abbreviated as PCI) are a set of guidelines that seek to govern how businesses safeguard sensitive credit card information, with the goal of minimizing data breaches and fraud. ![]() If your business accepts credit card transactions, then you should be familiar with the Payment Card Industry Data Security Standard (PCI DSS).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |