If your company does or is thinking about processing credit card payments, whether it’s a single transaction or millions, it’s wise to ensure that those payments go through a PCI-DSS compliant environment. PCI-DSS is a set of security standards established by the leading credit card companies, e.g. Visa, MasterCard, American Express, and Discover.
To be clear, there are a number of different devices and technologies that require security. These include card readers, point of sale systems, networks and wireless access routers, payment card data storage and transmission, and online payment applications and shopping carts.
Whether your company falls into one or multiple of these categories, it’s worth achieving and maintaining PCI compliance to not only better protects customers and their important financial data, but also to reduce the risks of processing payments for your company.
Getting Started
Typically, the road to PCI compliance starts with a phone call. That call is placed to an IT security company that guides the PCI compliance process. It’s important to find a company that is a certified PCI assessor for this type of work to ensure optimal results. Fortunately, the folks at the PCI governing body have a searchable database of licensed companies that perform these services around the globe.
After finding a company to help direct the process, an individual assessor comes to begin the audit of the technology environment. Fortunately, with PCI, the requirements for compliance are codified. Following the initial audit, the assessor issues a Report on Compliance (ROC), a two hundred page document that indicates which aspects of the technology environment meet the PCI standard and which do not.
Some of the broad headings that the ROC covers include:
- Firewall and router configurations
- Change passwords on all components from vendor-supplied defaults
- Protecting card holder data, e.g. not storing authentication data after authorization
- Use of strong and secure encryption when transmitting data over open or public networks
- Keeping third party software up to date with appropriate patches, bundles, etc.
All of these items each have several pages of detailed requirements that must be met.
Compliance Factors
It should come as little surprise that the technological and security requirements for PCI compliance are extensive. With the ROC in hand a company then must begin the process of bringing the areas that are not complaint up to standard.
So what kinds of things does a PCI assessor need to certify an environment as compliant? Assessors evaluate the way in which users access the environment. This includes how many layers of authentication one has to go through. For example, an authorized person might have three or four different layers where they need to enter a password to gain access to the environment. It’s not a bad idea to bolster the login process with additional authentication steps, such as those available with something like Google Authenticator or similar software.
The process also includes a thorough scan of the environment, including firewalls. They look at actual network architecture schematics and make sure that companies have a documented recovery plan in place in the event that something happens to the data or the physical servers, i.e. they’re destroyed in a fire or some other unplanned or unexpected event.
The physical location where the environment servers are stored needs to be PCI-compliant as well. This means that access to the physical servers needs to be restricted with lock and key, or electronic locks that work with security badges. Points of egress and ingress must be under video surveillance at all times. PCI requires limiting access to any devices in the PCI chain to relevant personnel. It probably doesn’t make sense for the executive assistant or intern to have access to the PCI environment because it’s not part of their job function.
If a company keeps their rack servers in their office, then the office itself needs to meet the PCI requirements in terms of physical security and access to those devices. If a company’s servers exist in a data center somewhere off site, then that data center needs to be PCI-compliant as well.
An Annual Tradition
PCI compliance isn’t simply a one-and-done task. The PCI standards are constantly evolving to keep up with best practices vis-à-vis technology. Therefore, it’s necessary to audit the environment every year. In total the PCI compliance process takes anywhere from 2–3 weeks to several months to complete so a considerable deal of planning and coordination goes into the audit process.
During an audit, an assessor observes the way people access the environment, at times literally watching over the shoulder of a system engineer to ensure everything is up to standard. The assessor also tries to gain access to the system, in essence to hack into the system in an attempt to uncover weaknesses.
At the end of the audit, and assuming the environment meets PCI standards, the assessor issues an Attestation of Compliance (AOC) that the company can then use to prove the security of their technology.
In addition to the annual audit it’s necessary to scan your own system monthly for documentation purposes. Above and beyond these internal scans, companies than want a PCI environment must have quarterly external scans as well. This means hiring a licensed IT security firm to essentially hack your environment and document their findings.
It Takes a Village
In order to ensure the process progresses efficiently companies should invest in a project manager dedicated to compliance or a compliance officer. A considerable amount of documentation goes into PCI compliance, and having someone in place to track and manage that documentation is a virtual necessity.
In addition to administrative needs, it takes a whole host of people to establish and maintain a secure PCI environment. This includes network engineers, systems engineers, software engineers, external auditors, and lawyers for any legal documentation. It’s true that these individuals don’t need to commit 100% of their time to PCI compliance, but they all play critical roles in the maintenance of a PCI environment.
When thinking about the cost of obtaining PCI compliance, the audit itself typically costs upwards of $10,000, but that doesn’t include the personnel costs associated with all of the contributors to the process. There is also the cost of hiring an external security firm for quarterly system scans. On top of this, PCI requires background checks on anyone who enters a PCI environment, so factoring in the time and funds for that is important as well.
Not a DIY Task
While some people may think that obtaining PCI compliance is a mere formality, in reality it is a time and resource intensive process.
The PCI merchant levels correspond to the volume of credit card transactions a company engages in on an annual basis. The levels range from 1 (highest) to 4 (lowest) and the technological and security requirements increase with each one.
Chart Key:
Qualified Security Assessor (QSA)
Approved Scanning Vendor (ASV)
Self-Assessment Questionnaire (SAQ)
Fortunately, here at Plum Voice we go through the lengthy and complicated compliance process so that our customers don’t have to. Our Plum Fuse platform is merchant level 1 PCI-compliant. That means that if a company wants to process payments over the phone, but don’t have (or want) to go through the PCI compliance process, they can do so by simply using Plum Voice, thereby gaining the benefit of best-in-breed voice communications technology and PCI compliance.