PCI compliance: so you want to do it yourself?
We live in a do-it-yourself world. See a Youtube video, and learn how to build your laptop from spare parts (with some missing instructions), or how to speak French in 50 easy lessons (don’t try to speak to a Parisian just yet).
At first blush, it appears straightforward. But read further, and find out all the steps and costs involved in protecting data according to PCI DSS standards:
1. Assess your risk if you violate PCI compliance or even worse, suffer a data breach. Fines are only the beginning. You could lose your right to use credit card clearinghouses. You could face government prosecution, as well as civilian lawsuits. You could go bankrupt from legal fees alone.
2. Estimate how many transactions you process per year: the higher the level, the more transactions you process – and the more strict you have to be about becoming compliant. It ranges from Level 4, with less than 20K transactions per year, all the way on up to Level 1, with over 6 million transactions per year.
3. Create an information security policy, describing in precise detail all the steps you take to secure customer data. For those with many transactions – Level 1-3, this could become a very long book.
4. Commit to best security practices, which include security policies, network security measures, vulnerability management, access control and monitoring.
5. Fill out the PCI Council's self-assessment questionnaire (called SAQ for short, although there's nothing short about the 13 or pages you need to fill out). Oh, and by the way, be sure you know which of eight SAQs you need to fill out.
6. Submit the form, along with your CFO or similar C-level officer's signed Attestation of Compliance (AoC). For merchants, submit to acquirers; for service providers, to the relevant credit card brands.
7. Not done yet, by any means. Now you need to actually implement safeguards to protect sensitive data.
Secure your network, including updating firewalls regularly
Secure cardholder data. If stored on the network, encrypt and protect behind the firewall. If manually processed, place in locked files, with permission-only access
Change vendor-supplied passwords
Manage vulnerabilities using anti-virus software; and limit employee downloads: they could compromise your system
Allow access on a “need to know” basis only
Monitor and test your networks, all the time
Rinse and repeat. Periodically, to make sure you are always in compliance
Keep records of your actions and submit reports of your PCI compliance efforts to your bank and credit card companies.
By now, this list may have put the fear of the authorities in you, for good reason. PCI compliance is not trivial: it takes a lot of work and a lot of ongoing vigilance. And you still may not have covered all the bases.
Instead of trying to do it yourself, with unpredictable results, try outsourcing your PCI compliance with PCI Booking. As an accredited cloud-based service, it looks after all the abovementioned steps for you. Plus, there’s no need to get AOCs and no need to update software.
With PCI Booking, you get instant payment card protection: it tokenizes, transmits and stores data outside your system: no sensitive data ever touches your environment, keeping you out of PCI scope. It's very easy to implement: no hardware needed. And you don’t have to switch payment gateway providers: PCI Booking works with any of them.
Some things you just need to leave to a pro. To find out more, visit our homepage.