Hackers are everywhere, and they’re trying day and night to steal customer credit card data. Identities and money have been stolen as a result of hacks affecting some of the world’s biggest brands, so even the big names like Target and Macy’s aren’t safe from theft (and, in fact, are attractive to thieves for being large, juicy targets.) With the explosive growth of ecommerce, the cyber risk is greater than ever.
Thankfully, there is a set of security standards called PA-DSS. Also known as the Payment Application Data Security Standard, these were created to ensure that credit card information is transmitted and stored securely for each and every card not present transaction. Just as computers should have anti-virus software, every payment application should have protections in place from hackers. These protections are a key component of cyber security for modern businesses.
If you’re a business owner and you process payment cards remotely, you almost certainly need a POS system and merchant account. That means you’ll need to know a thing or two about PA-DSS. Basically, these are international security standards that every business processing credit card transactions needs to adhere to in order to protect customer data. It’s all about security and compliance: every company that handles credit card data for these transactions needs to adhere to the standards so that payment data remains safe.
With everything else you need to stay on top of as a business owner, this might sound complicated and maybe even a bit scary. But don’t worry! With this guide, you’ll be able to understand everything you need to know about what PA-DSS is, why it matters, and how to make sure your business is compliant.
PA-DSS is essentially just a set of requirements for vendors of payment applications involving credit cards. They are administered by an organization called the Payment Card Industry Security Standards Council, or PCI SSC.
Since payment card industry PCI compliance is considered critical, any reputable payment application or POS system you buy will already have features ensuring compliance with the standard is built-in. However, businesses that process a certain number of transactions need to adhere to certain PCI requirements to meet the official PCI security standard themselves.
Beyond the standard itself, it is also up to you as the business owner to adhere to best practices to protect your customer’s payment card data. Your bank can be fined if you are found not to be fully PCI compliant, and they will then charge you penalties as a result. Not only can penalties for non-compliance add up fast, but they can result in credit card processing partners deciding to avoid your business and cutting off your ability to serve customers.
Companies that develop applications that either send, process, or store cardholder data need to comply with PA-DSS standards to ensure that all payment information is kept safe at every stage of the transaction process. They are designed to protect you as the merchant as well as your customers from fraud, loss, and theft.
Aside from being legally required in some states, there are many benefits to using PA-DSS validated applications. First off, since you can be sure these applications had to go through a rigorous testing process, you know that you are getting a product that is held to the highest possible PCI DSS standards.
As a byproduct of this, more of the requirements are taken out of your hands. That frees you up to focus more on what matters: growing the business and serving your customers. You’ll have less to worry about, knowing that your payment applications are meeting PCI requirements and are fully compliant.
The process for ensuring regulatory compliance with the PA-DSS standards is quite involved, achieving the highest possible level of security for customer’s credit card and debit card information. These are the steps that are taken for every payment application to receive the official stamp of PCI compliance:
The first set of tests are designed to analyze the flow of credit card data, looking at all the avenues and outlets where payment data is received, how and when data is transmitted, where it goes at each step, and where it is stored.
You have to identify all systems throughout the payment process that receive cardholder data. This might include a POS system, hard drive, cloud-based network, or other system. Each of these systems needs to have ways to protect the data during travel and storage.
Only by knowing how and where cardholder data travels through your network can you know how to completely protect that data.
For this step, you need to know what sensitive card data is being stored, and where. The data has to be encrypted and every storage location needs to be secure. Once data is authorized for a payment to go through, sensitive data should not continue to be stored. The longer data sits on a server or hard drive, the more opportunities hackers will have to steal it.
This includes all of your providers. Most business owners aren’t aware which of their providers are handling credit card data, but it’s usually more than one—for example, the company that provides your payment application, your bank, and your merchant account provider might all transmit or store card data.
In order to understand your data, it needs to be properly documented. That means that anyone viewing the data can easily make sense of what it is, where it came from, and other important information.
For security reasons, it’s extremely important to be aware of what people, computer programs, apps, and other technology are involved in your data documentation process. A breach involving any of them could result in sensitive customer information being stolen.
The reporting and other DSS requirements vary depending on the size and scope of your business. Standard PCI requirements change for each business because businesses have different needs for PCI risk compliance based on their individual risk assessment.
PCI and credit card brands designate businesses as either Level 1, Level 2, Level 3, or Level 4 merchants. There are also different criteria from different credit card companies, such as Mastercard and Visa.
While Visa ecommerce PCI rules are similar, Here’s the breakdown of each level for Mastercard:
Level 1 merchants are any that have suffered a hack or data breach that resulted in account information being stolen or compromised. Merchants that process over six million total Mastercard and Maestro transactions each year are also considered Level 1. If Mastercard, for whatever reason, deems your business to be potentially high-risk, it can also designate you as a Level 1 merchant even if you don’t meet the other criteria.
Level 1 merchants are required to have an annual on-site visit from a compliance representative known as a Qualified Security Assessor, or QSA. These merchants also need to have their networks scanned quarterly by an ASV, or Approved Scanning Vendor.
According to Mastercard’s website, Level 2 merchants are any “with more than one million but less than or equal to six million total combined Mastercard and Maestro transactions annually.”
Level 2 merchants have to complete an annual Self-Assessment Questionnaire, or PCI SAQ, and also must undergo an on-site PCI assessment at their own discretion. As with Level 1, their networks are also required to be scanned quarterly by an ASV.
To be classified as a Level 3 merchant for Mastercard, your business has to process between 20,000 and 1,000,000 e-commerce transactions per year. You also automatically become a Level 3 merchant for Mastercard if Visa’s system classifies you as one.
Level 3 merchants have similar compliance requirements as Level 2.
Level 4 merchants are simply those who don’t meet any of the criteria for Levels 1-3. They have the same compliance requirements as Level 2-3.
To determine your PA-DSS reporting requirements, a self-assessment questionnaire is used as a guide. The questionnaire determines what kind of business you run, and gathers details in order to determine what steps you have to take to remain PCI compliant.
For PCI compliance, documentation is extremely important. Whether it involves human hands or is done solely by an automated computer system, have a set of documentation procedures and policies in place and stick to them.
You need to use a PCI data compliant service provider to process your card not present transactions. So how do you know if any given company adheres to the PCI standard?
You can check if any given payment application provider is PA-DSS certified. To find out, you can visit the PCI website. There, you can check the compliance status and find a list of officially-verified PCI compliant payment applications. The list can be found at https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agree=true
Once you find vulnerabilities in your data transmission, storage, or reporting systems, it’s important to correct them right away. Penetration testing is an important way to find gaps in your security. By using manual methods to try and simulate a data breach, you can find weaknesses and fix them fast. These tests can be performed by a penetration testing provider.
If there is a breach, having an incident response plan in place will ensure you’re ready. This plan needs to find ways to isolate and protect customer data, and should include a protocol for how to inform customers in a transparent way the “what, why, when, and how” of the data breach. Then use the breach as a lesson, closing the gaps in your security and PCI compliance procedures that allowed the breach to happen.
Threats and vulnerabilities are a fact of doing business, and unfortunately for some merchants, it takes an actual breach to show them how to respond. By being prepared, you won’t be one of them.
To stay up-to-date, your PCI compliance program should be reviewed and maintained regularly. With the fast rate of technological change, the standards are always being updated to keep up with the development of new security, encryption, and payment systems. Security measures also need to keep up to match the development of new forms of payment, such as mobile payments.
With hackers and thieves always trying to stay one step ahead of security technology, PCI data security is key. It’s never been more important to keep your business, and your partners, PA-DSS compliant. A third-party compliance audit can help you fill in any gaps to get your business up to standard. If an audit sounds scary, trust us—it’s even scarier to have your customer’s credit card information stolen as a result of not being DSS-ready.
The PCI council makes it easier to do with guides, FAQs, and other resources, but they’re not responsible for making sure your payment application is compliant.
That’s up to you! For that reason, you’ve got to remain vigilant and make sure that PCI compliance is a fixture of your business for card-not-present transactions. If not, a hack or data leak could become such a costly burden than it forces you to shut your doors. That’s why compliance with PCI is so important—without it, you can’t stay in business!