Having a merchant account allows your business to accept credit cards and other electronic payments, but it also means the added responsibility of dealing with sensitive customer information. This responsibility is clearly outlined by PCI compliance requirements.
Securely handling customer data is more critical than ever as high-profile hacking and data breaches have cost various large corporations millions of dollars as well as the loss of reputational trust.
But it’s not just large corporations. Small businesses can suffer data theft and in some ways, it may be harder for a small business to recover from these incidents depending on the severity.
But much of this risk for merchants can be mitigated by following rules and best practices set out by the card issuing banks themselves.
These rules are known as PCI DSS compliance which stands for Payment Card Industry Data Security Standard. These mandated guidelines and rules help merchants keep their data and information secure.
Below, we’ll go over the PCI rules and guidelines and explain each one as well as tips for merchant PCI compliance.
PCI DSS Explained
When you apply for a merchant account and are accepted, somewhere in the documentation you sign during the approval process you agree to abide by the rules and guidelines outlined in the PCI-DSS protocols. The paperwork you receive after acceptance should also include these credit card PCI requirements.
If you have not received it, contact your payment processor who can provide you with a link to the required documentation.
These guidelines were created by the PCI Security Standards Council (PCI SSC) and set a Data Security Standard (DSS). This is where the term PCI-DSS comes from.
Compliance with these standards involves both technical and operational standards. For example, data security will involve the mandatory use of a firewall, but it also includes visual inspections of POS hardware or locking physical access to cardholder data.
PCI DSS Levels
There are also different levels of PCI DSS compliance, For example, PCI DSS level 1 is the highest. Each level corresponds to the level of transactions by the merchant. The chart below shows who needs the PCI DSS compliance levels based on various transaction thresholds.
PCI DSS Level 1 – Over $6m in transactions per year
PCI DSS Level 2 – $1m to $6m in transactions per year
PCI DSS Level 3 – $20k to $1m in transactions per year
PCI DSS Level 4 – Less than $20k in transactions per year
Levels 2 – 4 require that merchants fill out a self-assessment questionnaire (SAQ). Level 1 compliance does not allow for self-reporting and instead requires a Report on Compliance (RoC) as well as a third-party Qualified Security Assessor (QSA) to perform an audit.
You can view which SAQ questionnaire you need to follow with this chart. You may also be required to perform quarterly or annual ASV scans, which we’ll touch on in a later section.
In essence, these PCI DSS requirements focus on protecting cardholder data and encompass the entire processing flow from when customer data is captured or while it is being transmitted via the payment gateway. This also includes any data that moves through or is stored on your private network. This includes during the transaction or after the transaction.
All compliant PCI merchants are required to audit their operations at least once per year to ensure all PCI standards are being followed during the transmission of cardholder data. If any lapses are detected, the merchant is expected to rectify them immediately. Some of these audits will need to be performed by PCI-approved vendors depending on your transaction level.
As for who is responsible for PCI compliance, this ultimately falls on the merchant.
What Are The PCI Compliance Requirements?
So, exactly what are the PCI DSS Requirements? In the following sections, we will dive into the key guidelines for PCI compliance requirements and go over actionable tips for each one to help you perform your annual audit and ensure you are always in compliance.
The PCI compliance requirements are based on 6 goals and each goal has its own rules practiced by merchants at pos terminals or online to achieve the security goal. You can see the complete breakdown of each goal and its related rules below.
Goal: Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Goal: Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Goal: Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Goal: Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Goal: Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Goal: Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Some of these rules may seem like they specifically apply to online transactions instead of just POS transactions. While that may be true in some cases, depending on how your business operations are set up, you may still need to follow those PCI compliance requirements even if you only process in-person payments for the various credit card brands.
For example, if your customer data travels over a private network or if you process cards via a virtual terminal, many of the networking security protocols will still apply to your business.
Below, we’ll go over each rule for card industry data security and what it means as well as how to achieve compliance.
12 Rules for PCI DSS and POS Compliance for Merchants
1. Install and maintain a firewall configuration to protect cardholder data
This is a general networking best practice but it also applies to anyone handling customer billing information.
A firewall is a security feature that monitors the traffic into your network as well as out of it. The firewall is configured with a set of rules so that unauthorized or suspicious network traffic can be blocked before entering the network.
Your network should always have a firewall in place and it should be configured to allow for maximum security while still allowing daily busy operations and communication.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Most vendor-supplied hardware or software may come with default or pre-configured security options, including passwords.
These are usually set up to allow for fast installation or configuration. However, these settings and passwords are not the most secure, and they need to be changed immediately after installation and configuration.
Never use default passwords for your networking hardware or software. This includes any WiFi or internet routers or modems. Many of the default configurations and passwords for these are not secure and some passwords are even shared.
This also includes any POS hardware terminals.
3. Protect stored cardholder data
This is the most critical rule for merchants and it has to do with storing primary account numbers (PAN). Besides the account number, authentication data must not be stored after authorization, even if it is encrypted.
Authorization data includes expiration dates as well as CIDs, CVC2, CVV2, and PINs.
PANs must be masked when displayed and only show the last four digits and the first 6 digits at the maximum.
Finally, all data must be encrypted and unreadable no matter where it is stored.
Merchants need to be aware of every place where account information may be stored. For example, some bookkeeping software or other tools may be storing billing information if they pull data from your sales or invoicing records.
4. Encrypt transmission of cardholder data across open, public networks
All customer information that is transmitted on public or private networks must be encrypted. For online processing, this means websites must have a valid SSL certificate. Internally, network transmission must also be encrypted. So even if you don’t process online sales, your virtual network or POS-connected computers still likely communicate via a local network.
Check your routers and hardware to make sure they are using the most advanced encryption, for example, WPA3 instead of WPA2, AES, or TKIP, which are outdated.
Finally, never send card information via methods such as email, SMS, or other unprotected protocols.
5. Protect all systems against malware and regularly update anti-virus software or programs
Make sure that all computers connected to any POS hardware or that handle customer card data have up-to-date antivirus and anti-malware software installed. It’s also required that all work computers or servers on-premise be protected by anti-virus software.
Many of these programs allow for automatic updates which is crucial to keep them effective at stopping threats. If your software is outdated, update it immediately or purchase a new license if it is no longer supported.
6. Develop and maintain secure systems and applications
For POS hardware and processing, this means keeping up to date with any firmware or software updates that are released. Regularly check your POS hardware and software to make sure it is up to date with the current patches.
If you have any questions regarding your hardware, contact your payment processor and they can help ensure your devices are compliant.
Trusted processors like ECS Payments have dedicated, in-house staff to assist merchants with PCI DSS compliance issues to make sure their processing is secure.
Besides the POS hardware and software, this also applies to all other software programs that may be handling card information.
7. Restrict access to cardholder data by business need to know
This means both data and POS hardware. Make sure no one who is not authorized can access POS hardware or devices. This also means any computers attached to those devices are also accessible by authorized personnel only.
Any paper records that contain customer data must also be restricted either by a physical lock or other similar methods.
At the system level, this may mean restricting access to each individual based on what access they require to do their job. Don’t give full access to all employees or businesses.
8. Identify and authenticate access to system components
This means every employee should have a unique ID and login when they access a computer or are working with POS transactions or terminals.
Don’t let users or employees share logins or use one universal login. For example, when an employee is handling transactions involving POS hardware, they should log in with their unique ID and log out when finished.
The same goes for any employees with access to customer data via customer support channels or other means.
9. Restrict physical access to cardholder data
When dealing with POS terminals, this rule mostly applies to information that is captured and then stored. The location of storage needs to be secure and with access limited to those who have a need.
This includes all data backups, hard drives, and other storage devices. If customers are on-premise, there must also be clear signage or ways that prevent customers from accessing areas of storage or where data is handled.
10. Track and monitor all access to network resources and cardholder data
For POS terminals, this means that every employee that handles transactions must log in securely with their unique credentials.
This provides an audit trail should there be any compromise or data breach. Furthermore, these logins must be kept for one year. The reason is that many intrusions or data breaches are not immediately detected. So having at least a year of logs is needed so that there is sufficient history to go over when analyzing the login details.
Besides just employee log details when at the POS terminal, all system access that involves customer data needs to be logged as well. Most networking environments will have system information and environment monitoring (SIEM) tools. Make sure these are set to store the logs for the appropriate length of time.
11. Regularly test security systems and processes
If you make any changes or upgrades to your POS hardware, you need to test your overall security and make sure that no vulnerabilities have been opened due to the changes.
When installing new devices, there may be default settings that facilitate installation but are not secure. So always check your entire POS environment and network after any change or upgrade.
Beyond your POS terminal, you also need to extend this regular testing to your entire network. This means setting up protocols for external vulnerability scanning for openings that may be exploited.
12. Maintain a policy that addresses information security for all personnel
Every employee needs to understand the importance of data security and PCI DSS compliance. This means you will want to document your security protocols and procedures and make sure that employees not only have access to these documents but are trained on them specifically.
There should be a dedicated point of contact who is responsible for security so that personnel knows who to contact should there be any questions or issues about policies.
These policies should also include an annual risk assessment as well as incident management reports should a breach occur.
Merchants are required to have a PCI-approved vendor perform an ASV scan to detect any network vulnerabilities and make sure the merchant is complying with various DSS standards.
This testing ensures no outside threats can gain access to network resources or card data.
If you need assistance with finding an approved scan solution for your network, contact or payment processor ECS Payments
Additional Rules And Security Advice For POS Terminals
POS hardware and terminals have become a target for cybercriminals. These criminals often use very sophisticated attacks which are constantly evolving. So merchants need to be vigilant to maintain security.
While the following rules may not be explicitly outlined by card issuers, they are considered best practices to ensure the security and integrity of your POS hardware.
Inspect POS hardware daily
Make sure to inspect your POS terminals daily for signs of tampering. Signs of tampering may include broken seals, missing screws, or altered cabling or cases. If any tampering is detected, do not use that terminal and alert whoever is in charge of security.
Do not leave POS hardware unattended
Tampering can take place in just a few seconds, so make sure to not leave any POS terminals unattended. When employees leave the terminal, make sure they log out so that it can not be accessed while they are away.
Use security cameras around POS terminals to detect any tampering or issues. However, these cameras must be set up in a way that does not allow them to capture customer PINs.
Update All Software
Your POS terminals may include software not supplied by your payment processor. Ensure this additional software is always up to date with the latest security patches that are available via the vendor. If they have an option for automatic updates, make sure to use this.
This includes any Windows or Mac computers and their operating systems. If any computers or operating systems in use are no longer being supported by the vendor, replace them.
Train employees on what to look for
All employees should understand the importance of data security as well as have access to your security documentation. Train your employees on what to be aware of and have a dedicated point of contact should they notice any possible issues that could lead to a security breach.
PCI Compliance Requirement Help For Merchants With Pos Terminals
If you have any questions about your POS terminals and whether or not your system is following the PCI compliance requirements properly, contact ECS Payment Systems.
Our staff is trained in all PCI compliance requirements and we can answer your questions and help to ensure your customer data is secure and compliant with all card issuer guidelines.
To learn more about ECS Compliance Requirements For Merchants visit Merchant.