PCI DSS compliance seems like a lot of work. Is it necessary? I have a small merchant operation.
If you store, process, or transmit credit card data you must be compliant with the PCI DSS. The entire PCI DSS is mandatory, regardless of merchant size, transaction volume, or sales volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.
How does the credit card data flow process work?
When a buyer makes a payment, a payment gateway will manage the complex routing of the cardholder data via a secure connection to the processor. The processor submits the transaction to the credit card network (VISA, MasterCard, AMEX). The credit card network routes the transaction to the bank that issued the credit card to the customer for an approval or decline decision. This decision is communicated back through the same channels – first to the processor, then to the payment gateway which stores the transaction results for the customer and merchant to view. The card is charged and the buyer’s bank deposits the funds into the seller’s bank within 3 business days.
What are data thieves after?
The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Sensitive cardholder data can be stolen from many places:
- Compromised card reader
- Paper stored in a filing cabinet
- Data in a payment system database
- Hidden camera recording entry of authentication data
- Secret tap into your store’s wireless or wired network
Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected.
What is Point-to-Point Encryption (P2PE) and how can I implement this in my merchant environment?
A point-to-point encryption (P2PE) solution cryptographically protects account data from the point where a merchant accepts the payment card to the secure point of decryption. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. Merchants using PCI-listed P2PE solutions also have fewer applicable PCI Data Security Standard (PCI DSS) requirements, which helps simplify compliance efforts.
