The purpose of this mini-series of articles is to familiarize small and medium-sized merchants with the concept of PCI compliance and with available solutions allowing them to reduce their (or even get out of) PCI scope.
What is PCI compliance about?
With the advance of credit card processing technologies, the scales and types of credit card fraud also witnessed considerable extension. To prevent manipulations with credit card data during credit card processing, Payment Card Industry Compliance (or PCI compliance) requirements were introduced (more detailed info can be found here).
While there are many businesses wishing to accept and process credit cards, relatively few are equipped with all the tools and resources necessary to meet strict PCI certification regulations. As a consequence, there are some solutions available to smaller and medium-size merchants, allowing them to get out of PCI scope or simplify their PCI audit (reduce their PCI scope).
Before moving to detailed coverage of these options, it would be appropriate to list the key PCI compliance requirements that are defined and maintained by PCI Security Standards Council (PCI SSC).
PCI standards
PCI DSS stands for Payment Card Industry Data Security Standard. The standard specifies the requirements to be followed by an organization, dealing with payment cards. These requirements are primarily meant to ensure credit card data protection and prevent security violations. Any business wishing to attain PCI compliance must follow the PCI DSS standard. Requirements and objectives to be followed by businesses, according to PCI DSS, can be found here.
In addition to PCI DSS standard, concerning PCI compliance of businesses operating with payment cards, there is a more concise standard for payment card processing software, called PA DSS (Payment Application Data Security Standard). PA DSS lists the requirements to be met by payment processing applications in terms of cardholder’s data protection. The complete list of PA DSS requirements can be found here.
To keep track of all PA DSS compliant applications a special list of Validated Payment Applications is maintained by PCI SSC.
In a nutshell, PCI DSS is targeted at businesses that accept credit cards (such as retail stores, health clubs, collection companies and others) and those that offer payment applications in hosted mode (such as payment processors, payment gateways and e-wallet companies).
PA DSS, on the other hand, is targeted at software packages, manufactured by companies, which do not necessarily operate with payment card data themselves, but software products of these companies are distributed to end users (who do process credit cards) and installed on their machines (or in their networks). In general, PA DSS requires these products to ensure security of payment card data processing.
More information on standards and other PCI SSC documents can be found here.
The two components of PCI compliance
At the high level, businesses that deal with PCI compliance face two issues:
- Cardholder data storage – should credit cards be stored, how should they be stored, who is going to bear the liability for storing of the cards.
- Cardholder data flow – at which point a credit card is accepted, swiped vs keyed card processing, which software is used to process credit cards, how the card gets persisted.
While it is generally understood and accepted that storing cards puts a merchant in PCI scope, people often tend to misunderstand the concept of card flow, thinking they are not in the scope, while actually being in it.
In the subsequent articles, we are going to present some guidelines to follow while evaluating your card storage strategy and general card data flow, and provide suggestions on how to make PCI compliance more attainable and PCI audit – less labor-intensive.