A Guide To PCI Compliance

Payment card industry (PCI) compliance refers to the technical and operation standards that businesses follow to secure and protect credit card data provided and transmitted through card processing transactions. PCI gives merchants the chance to identify and address payment card threats and vulnerabilities that could lead to a breach. It holds merchants accountable for securing their business environment and policies that lead to a data breach. 

PCI Compliance- 12 over-Arching Requirements

While PCI compliance levels vary, it is mandatory for any business that accepts credit cards. There are 12 over-arching requirements for PCI compliance: 

1. Install and maintain a firewall to protect cardholder data. 
2. Develop and maintain secure systems and applications. 
3. Regularly test security systems and processes. 
4. Encrypt transmissions of cardholder data across open, public networks. 
5. Protect stored cardholder data. 
6. Do not use vendor-supplied default system passwords. 
7. Assign a unique ID to each person with computer access. 
8. Restrict access to cardholder data by business need to know. 
9. Use and regularly update anti-virus software.
10. Track and monitor all access to network resources and cardholder data. 
11. Restrict physical access to cardholder data. 
12. Maintain a policy that addresses information security for all personnel. 

If a breach occurs and it is determined that the business was not compliant at that moment, it will face fines and fees as well as reputational damage.

PCI Compliance Levels

Level One Merchants

Level one merchants process over 6 million card transactions annually through all channels (card present, not present, eCommerce). Merchants who are considered level one must do the following: 

1. Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA) 
2. Complete quarterly network scans by an Approved Scanning Vendor (ASV) 
3. Complete the Attestation of Compliance Form

GoTab is proud to announce that we are Level One Merchants in the PCI Compliance level.

Level Two Merchants

Level two merchants process 1 to 6 million card transactions annually through all channels. Merchants who are considered level two must: 

1. Complete an Annual Self-Assessment Questionnaire (SAQ) 
2. Complete a quarterly network scan by ASV
3. Complete the Attestation of Compliance Form 

Level Three Merchants

Level three merchants process 20,000 to 1 million card transactions annually exclusively via eCommerce. Merchants who are considered level three must do the following: 

1. Complete an annual SAQ
2. Complete a quarterly network scan by an ASV
3. Complete the attestation of compliance form

Level Four Merchants

Level four merchants process up to 1 million card transactions annually through all channels, and do not process more than 20,000 card transactions via eCommerce. Merchants who are level four must: 

1. Complete an annual SAQ
2. Complete a quarterly network scan by an ASV
3. Complete the Attestation of Compliance form. 

EMV Liability Shift

EMV stands for Europay, Mastercard, and Visa- the three companies that helped create the technology standard. EMV technology is an important tool for merchants to fight against fraud chargebacks. 

So what are EMV Chips, and how do they work? They are microchips embedded into a payment card that allows payments to be made more securely than the traditional magnetic stripe. The data on EMV chips is encrypted, therefore making it more difficult to clone. Unlike the old fashioned magnetic stripe with its easily readable card information, an EMV chip contains a secure algorithm that generates a new authentication code for each transaction. This code is sent to the issuing bank for confirmation before the transaction can be processed. 

The EMV liability shift was a change in the rules that made merchants without EMV-compatible payment terminals liable for the cost of any claims of fraud made against those transactions. Under the new rules, if the counterfeit or stolen card has an EMV chip and the merchant doesn't scan it, the acquiring bank will be held liable for the fraud instead of the issuing bank.  The acquiring bank will then pass the cost onto the merchant as part of their agreement. Merchants therefore have a financial incentive to upgrade their payment terminals.

Who Is Liable

When a merchant accepts a magnetic strip card that was counterfeited with track data copied from an EMV chip card, and the card is swiped at a POS device that is not EMV chip-enabled and the transaction is processed, the merchant may be liable for the chargeback resulting from the fraud. This only pertains to transactions where the magnetic stripe was read, and does not apply to contactless transactions. 

There is no liability shift for fallback transactions, they are a result of the chip on the card not being read and the authorization message does not contain chip data. Fallback transactions are therefore considered magnetic stripe transactions and liability remains with the card issuer. 

The ability to accept card payments is a privilege. Achieving and maintaining PCI compliance while having a POS terminal that has chip-reading capabilities is the best way to protect your business and your right to accept credit cards.