Chargeback Prevention

PCI DSS Compliance: Why It Matters for Merchants and Service Providers

What Rights Do Merchants Have In Credit Card Chargebacks_Blog Image

Table of Contents

  1. What Is the PCI DSS?
  2. What Are the PCI DSS Requirements?
  3. Who Maintains the Standards for PCI DSS Compliance?
  4. What Are the Levels of PCI-DSS Compliance?
  5. Who Needs PCI DSS Compliance?
  6. What Happens if I Am Not PCI Compliant?

Credit card fraud is an ever-present problem in e-commerce, and it won't be going away anytime soon. As hard as the payments industry works to prevent fraud, at least a few fraudsters will always find ways around any defenses put in place.

Most fraud prevention centers around detecting purchases made with stolen credit card information, using everything from simple checks to advanced technology to try to sort the real customers from the fake ones. However, there are also systems in place to try to prevent credit card information from being stolen in the first place.

While payment credentials are often stolen from customers through phishing schemes, merchants who save their customers' payment credentials for future purchases present an appetizing target for hackers. Stolen credit card numbers may sell for less than a dollar on the dark web, but when a single hack can result in anywhere from several thousand to several million stolen credit card numbers all at once, it's more than worth the effort for anyone with the requisite ability.

In order to combat this, the payments industry maintains a set of information security standards that any business handling credit card information must follow.

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that process credit cards from the major card networks. It provides guidelines on how to safely handle cardholder information to reduce fraud and data theft. How can merchants protect their customer data and prevent fraud by complying with the PCI DSS?

What Is the PCI DSS?

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of security requirements for databases containing sensitive customer information such as credit card numbers. These requirements are updated periodically to account for new threats and new technology.

New call-to-actionAdhering to the PCI standards isn’t just a matter of internal practice. Compliance with the PCI DSS is certified by the PCI Security Standards Council, and for many merchants, PCI DSS certification is an important way to communicate to their customers and partners that they take data security seriously and have taken all the steps necessary to protect sensitive data to the best of their ability.

Online fraud is constantly evolving and adapting to the measures and practices designed to thwart it, so there will never be a set of standards that provides perfect, infallible protection against data breaches and payment card fraud.

That said, compliance with PCI DSS provides assurance that a merchant is following the best, most up-to-date industry recommendations to keep their data secure and ensure the safety of their customers.

What Are the PCI DSS Requirements?

The PCI DSS organizes its requirements into six categories called control objectives. There are twelve requirements in total, including rules for firewalls, passwords, encryption, access, monitoring, and testing. The details of these requirements are as follows:

Build and Maintain a Secure Network and Systems

  • Install and maintain a firewall configuration to protect cardholder data. The firewall should scan all incoming network traffic and prevent untrusted networks from accessing your systems.
  • Change the vendor-supplied defaults for system passwords and other security parameters. Default passwords are the first ones a fraudster will try—you must use strong, unique passwords to protect your systems.

Protect Cardholder Data

  • Protect stored cardholder data with encryption, hashing, masking, truncation, and other recommended methods.
  • Encrypt transmissions of cardholder data over open, public networks. Strong encryption is preferred.

Maintain a Vulnerability Management Program

  • Protect systems against malware and perform regular updates of anti-virus software.
  • Develop and maintain secure systems and applications. Vulnerable software should be patched immediately when security gaps are discovered.

Implement Strong Access Control Measures

  • Restrict access to cardholder data to authorized personnel only, and on a strict “need-to-know” basis.
  • Identify and authenticate users who access system components. Each user should be assigned a unique ID in order to provide accountability when cardholder data is accessed.
  • Restrict physical access to systems that store cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor all access to cardholder data and network resources. There should be logging mechanisms in place for user activities that can affect cardholder data.
  • Test security systems and processes on a regular basis in order to identify new vulnerabilities that could be exploited.

Maintain an Information Security Policy

  • Maintain a strong information security policy for all personnel. Educate employees and contract workers on the importance of protecting sensitive cardholder data.

Who Maintains the Standards for PCI DSS Compliance?

The PCI DSS is overseen by the PCI Security Standards Council, which was jointly established in 2006 by Visa, Mastercard, American Express, Discover, and JCB International. Their mission is to provide standards that increase the security of cardholder data in order to protect it from fraud.

Download the eGuide, 4 Reasons to Hire a Chargeback Management CompanyOriginally, each card network maintained their own set of standards. Recognizing the growing threat of fraud and the difficulty in complying with several different sets of overlapping standards, they began to work together to form a single global set of effective standards, which became PCI DSS.

The Security Standards Council issues supplemental information and guidelines to clarify aspects of the PCI DSS when necessary and certifies individuals as Qualified Security Assessors and Internal Security Assessors to assist in auditing merchants for compliance.

Merchants who are found to be out of compliance with PCI DSS at the time of a data breach may be subjected to fines and other penalties imposed by the affected card networks.

What Are the Levels of PCI-DSS Compliance?

Every merchant is beholden to the PCI DSS. The compliance levels are based on how many transactions the merchant processes each year. Each card network sets their own thresholds. There are 4 levels of compliance in total.

  • Level 4
    • Less than 20,000 Visa, Mastercard, or Discover transactions per year.
  • Level 3
    • 20,000 to 1,000,000 Visa, Mastercard, or Discover transactions per year.
    • Less than 50,000 American Express transactions per year.
  • Level 2
    • 1,000,001 to 6,000,000 Visa, Mastercard, or Discover transactions per year.
    • 50,001 to 2,500,000 American Express transactions per year.
  • Level 1
    • More than 6,000,000 Visa, Mastercard, or Discover transactions per year.
    • More than 2,500,000 American Express transactions per year.

At levels two through four, compliance is determined based on an annual self-assessment and quarterly network scans. Level one compliance requires an annual on-site assessment performed by an authorized third-party vendor, as well as the quarterly scans.

Merchant service providers—the vendors who provide web hosting, e-commerce software, anti-fraud tools, and chargeback management—must also maintain PCI DSS compliance, or the merchants who use their services may be liable for data breaches regardless of their own compliance status.

For merchant service providers, level one compliance requires an on-site audit from a Qualified Security Assessor approved by the PCI SSC. In order to protect our clients and ensure the highest levels of security and data protection, Chargeback Gurus has obtained level one PCI DSS compliance as a merchant service provider.

To learn the root causes of chargebacks and develop the most effective strategies to fight them, it is necessary to analyze chargeback and transaction data.

The last thing a merchant should have to worry about when they’re dealing with a chargeback problem is that their service provider might expose them to additional risk. Level one PCI DSS compliance provides assurance that we are meeting the most up-to-date security practices in the e-commerce industry.

FAQ

Who Needs PCI DSS Compliance?

Any business that handles credit or debit card information is required to maintain PCI DSS compliance. This includes merchants, processors, and merchant service providers of various kinds.

What Happens if I Am Not PCI Compliant?

Businesses that fail to comply with PCI DSS standards and suffer a data breach must pay a fine, which can be anywhere from $5,000 to $500,000. Merchants can also be blacklisted and have their accounts terminated.


Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com

Get the guide, Chargebacks 101: Understanding Chargebacks & Their Root Causes