We wish you an inspiring day with the OctoStrategy team. It's time to provide you with useful information on how to take your business to the next level with modern payment solutions.
Buyers of goods and services make electronic payments almost every day. The popularity of this method is due to its convenience, because it is a great alternative to paper money.
Really, there is no need to use cash: take a wallet, change large denominations, count change, etc. Paying by card has a lot of advantages, but there are also a lot of cybersecurity risks.
Clients want to keep their money safe and be sure that it is protected. To do this, many payment systems, including Visa and MasterCard, have even made it a mandatory requirement for merchants and service providers.
PCI DSS certification is required for companies to meet established security requirements when dealing with online payments.
Not everyone understands how important it is to have such a certificate. The simplest example is regular stores with POS-terminals (special machines for accepting payments from bank cards) installed in their cash desks.
Some supermarket chain owners are still sure that the bank installing payment terminals is responsible for payment security. But in fact it is the merchant network that is responsible for the security of transactions and customer card data.
If intruders manage to steal personal data from a payment card of a client, the whole responsibility lies on the store where the transaction took place.
To minimize the risk of such incidents, trustworthy payment systems cooperate only with those banks, call centers, sellers of goods and services, and payment gateways that have received a PCI DSS certificate.
PCI DSS: what is it and who needs a certificate?
PCI DSS is a general requirement for payment cardholder data security. This certificate is required for any organization whose information systems process, transmit and store personal data. This standard was developed by the Payment Card Industry Security Standards Council and is generally accepted.
The decision for compliance with this standard must be made by the head of the organization. And the standard itself has the following objectives:
- implementation of access control measures;
- preventing leakage of cardholder data;
- eliminating vulnerabilities;
- the development of a clear information security policy;
- building and maintaining a secure network;
- constant network monitoring and testing.
Obtaining the presented certificate is a topical task for any company that wants to do business and accept payments by means of bank cards. This includes companies from the financial industry, online stores, call centers, retailers and in general all organizations that are providers of goods and services.
Requirements of the standard
The PCI DSS standard has twelve explicit requirements which fall into six major categories. A company receives a certificate and can safely engage in the processing, transmission and storage of cardholder data. Let's take a look at the main groups of requirements of the standard:
- Rapid closure of any vulnerabilities. Timely installation of updates for the used software products is required, especially for anti-viruses.
- Corporate networks protection. Before using network equipment, firewalls must be set up and standard developer codes (passwords) must be changed immediately.
- Check the condition of the infrastructure. Also, you cannot do without regular testing to detect possible vulnerabilities of the system, whose components are responsible for information security.
- Card data protection. Encryption should also be implemented, and data transfer should be carried out using TLS 1.1 protocol or higher.
- Information security policy installation. It is required to carry out checks on information security compliance, and the algorithm of actions in case of system hack should be considered.
- Access control to the storage. Only a clearly defined circle of employees should have access. Employees without permission and outsiders should not have access to it.
The process of obtaining a certificate
The methods and form of certification may vary. It is much easier for companies that conduct less than 20,000 transactions per year. They simply fill out a self-assessment sheet, by the results of which they receive the coveted certificate. But if the number of payments during one calendar year exceeds 20,000, then you need to contact the certification organization, which performs the verification. The procedure consists of three steps:
1 step: Theoretical Part.
Auditors must assess the quality and relevance of the information security policy and see how it works in practice.
2 step: Assessment of the IT infrastructure.
In this stage, the auditors stage a whole series of attacks on the corporate network. The main objective is to see how well the organization's firewalls, anti-viruses and other software can handle such an attack.
3 step: Reporting.
If the company passes the audit successfully, it receives a certificate confirming its security. If the organization does not pass the audit, the auditors not only report it, but also point out any violations that need to be corrected.
Naturally, in order to receive the certificate, the company must successfully pass all three stages. It is necessary to take into account that in case of non-compliance with some requirements and the refusal to issue the certificate, there is always a possibility to eliminate the remarks received, in which case the auditors will issue a certificate at once.
If serious violations are detected, it will be required to pass all the stages of verification once again. A firm can make any number of attempts, there are no limitations in this respect, as the main thing is to achieve a positive result.
Is it possible to simplify the procedure of obtaining a certificate?
It should be understood that the PCI DSS certificate is not a formality, as many people think, and it cannot just be bought like any license. However, many company owners do not want to spend time on complex work to ensure that their corporate network complies with all requirements. In this case the best solution is to cooperate with a payment service provider. These are companies that act as an intermediary between a seller of goods/services (a firm or an entrepreneur) and banks. Such an intermediary is responsible for non-cash payments and data security. Accordingly, it must also have a certificate.
Payment service providers handle all issues related to card data processing, including PCI DSS certification. Therefore, clients do not need to be involved in all of the nuances of compliance and auditing. The client's task is to choose an intermediary which guarantees the PCI DSS compliance status and regularly updates the compliance certificate.
Working with payment service providers is relevant to many small companies which do not have their own IT department.
In addition, such cooperation may help those organizations which for various reasons cannot meet all the requirements for compliance with the standards in any way. After all, in order to meet the standards, it's not enough to just pass one audit; the certificate must be renewed every year. And to do that, you need to update anti-virus software, monitor threats, monitor your corporate network, and more.
Another easy way to comply with PCI DSS requirements is to use the services of OctoStrategy, which has the ability to provide any ready-made payment solutions for your business.
What happens if I don't get PCI DSS certification?
Obtaining this certificate is not a legal requirement for all organizations. But without it, providers of goods and services can cooperate only with little-known payment systems that do not have the proper authority in matters of security.
Such policy is carried out to improve security of payers and clients. Some international payment systems impose fines on all organizations, which are obliged to pass PCI DSS certification yearly, but do not do it. Penalties vary depending on the type of organization and the number of transactions per year.
Security of Internet payments is a serious and responsible issue, both from a commercial and reputational point of view. Therefore, if there is no possibility to obtain this certificate on your own, it is better to work through an intermediary in the form of a payment service provider.