Global Electronic Payments Security Standards
Protecting your data is of utmost importance to us. We hope to make your onboarding process as seamless as possible so that you can quickly and confidently get back to business.
Understanding PCI DSS
PCI DSS, or Payment Card Industry Data Security Standard (PCI DSS), represents the industry standard for security policies, technologies and ongoing processes that protect merchant payment systems from breaches or theft of cardholder data. Prior to 2004, every major card brand (Visa, MasterCard, Discover, and American Express) had their own unique systems for protecting against fraud. These card brands eventually united to create an industry-wide standard for protection, now known as the PCI DSS.
The Clover Security Advantage
PCI compliance is assessed in two ways: Self-Assessment Questionnaires (SAQs) and audits. In order to comply with PCI DSS, there are a number of requirements your business must satisfy. We have partnered with Clover Security to help our clients simplify the process.
As a new Clarien Payment Services client, you will automatically receive an email from Clover to walk you through the PCI DSS requirements and process.
The Clover team will help determine which self-assessments are required in order to help you across the PCI DSS finish line.
Frequently Asked Questions
The acronym stands for Payment Card Industry Data Security Standard. These are standards for security policies, technologies and ongoing processes that protect the payment systems of our merchant clients from any breaches or theft of cardholder data.
These standards are overseen by the PCI Security Standards Council, which touches the lives of hundreds of millions of people worldwide. They are a global organization that maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe. The Council was founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc. They share equally in ownership, governance, and execution of the Council’s work.
They serve anyone who works with and is associated with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.
There are two priorities for the PCI Security Standards Council’s work:
- Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data.
- Helping vendors understand and implement standards for creating secure payment solutions.
There are 12 basic requirements every business needs to meet. For more information on those, please see our Onboarding Guide.
Becoming (and remaining) PCI compliant carries a range of costs. What you can expect to pay depends on your merchant level, which is dependent on variables such as:
- The size, location, and nature of your organization
- The number of card-based transactions you process annually
- How you capture and process card-based payments (i.e., in-person or online)
There may be additional costs associated with employee training, which is voluntary for smaller organizations, but often required for larger ones. Upgrading magstripe POS terminals with more secure EMV-enabled readers also carries expenses. The same is true for eCommerce merchants that protect their visitors by adding Secure Sockets Layer (SSL) certificates to their sites. Of course, there are direct PCI compliance fees – normally calculated and charged by your payment processor.
These variables make it difficult to provide an exact “cost” for PCI compliance. However, smaller organizations can expect to pay $300 to $500 annually to become and remain compliant. By contrast, a multinational enterprise might need to spend $70,000 to $100,000 a year to remain in good standing.
- Your business will be regularly assessed against these security guidelines, so it’s best to understand how it can impact your day-to-day tasks and responsibilities.
- If you’re using a point-of-sale device (POS) that’s more than a few years old, chances are it’s not protecting you against potential threats in adherence to current security standards.
- One way to simplify your security is to start with a modern POS, specifically one that is PCI PTS (Payment Card Industry PIN Transaction Security) certified. Think of PTS certification like PCI compliance for payment terminals. POS providers like our partners at Clover provide payment terminals and can submit their machines for inspection and certification to make sure that a third party will not be able to access cardholder and PIN information.
- All Clover point-of-sale devices are PTS certified, taking much of the burden of PCI compliance off of busy merchants. One of the critical points of PTS certification is point-to-point encryption (P2PE). Having built-in P2PE, as merchants with current Clover POS systems do, will make the entire process of certifying PCI compliance much easier.
- PCI compliance is assessed in two ways:
Self-Assessment Questionnaires (SAQs) and;
- Generally, businesses are required to submit SAQs annually and are audited quarterly to ensure compliance.
- Answering a questionnaire once a year many not sound that complicated, but how your business is structured and the number of credit card transactions you process dictate which of the 8 different SAQs you will have to complete.
What might initially seem like a simple checklist of requirements can balloon into over 200 questions examining things like your networks, login systems, and data storage.
- Self-Assessment Questionnaire questions are difficult and often time-consuming to address. If you choose to work with a Clover POS system, you get to bypass most of them.
- The P2PE-certified hardware Clover builds includes multiple CPUs to protect data, even in the case of a virus being introduced to the system. Its high-level encryption protects customer information from the moment it is captured until it’s through the payment gateway.
- With this level of security built in, the PCI questionnaire merchants will have to complete is reduced to as few as five questions from 200 plus. Clover Security also offers add-ons, which allow you to access a team of people who will help you across the finish line to PCI compliance.
- Yes, in addition to your annual SAQ, you’ll also have to complete four system audits each year.
- If you are PCI compliant, these electronic audits will be much easier.
- If you use the services of Clover Security, you’ll get automated reminders to schedule and complete these audits as well as a guided questionnaire to complete your SAQ . That means you can spend more time running your business, and less time worrying about how to protect your payment data.
There are many ways you can end up non-compliant. Here are just a few:
- Not filling out your annual SAQ (Self-Assessment Questionnaire)
- Filling out your annual SAQ incompletely and/or inaccurately
- Failing to complete quarterly network audits
- Not taking recommended steps provided by PCI compliance experts
- Sharing login information or usernames among employees
- Using default passwords for any of your networks or equipment
- Using a public WiFi for some of your transactions if you have a network issue, or are off-site
Establishing and Maintaining Compliance
The following are 12 basic requirements every business needs to meet per the official Requirements and Security Assessment Procedures. Clover Security can assist you with any questions regarding these requirements:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
- Requirement 6: Develop and maintain secure systems and applications.
- Requirement 7: Restrict access to cardholder data by business’ need to know.
- Requirement 8: Identify and authenticate access to system components.
- Requirement 9: Restrict physical access to cardholder data.
- Requirement 10: Track and monitor all access to network resources and cardholder data.
- Requirement 11: Regularly test security systems and processes.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
For more information, please click on the following links to view additional tools and resources:
We’re Here for You
We take a concierge approach to supporting your needs — please contact your Commercial Banking representative if you have questions or need additional support.
Thank you for choosing Clarien as your Payment Services partner.