The Need to Secure Payments Grows with Technology Improvements
The need for PCI compliant payment solutions should be a priority for any vendor, retailer or organization that takes card payments. From the largest corporate retailers to the local eatery down the street, every merchant that accepts credit card payments — both online and offline — is required to comply with PCI Data Security Standard (DSS) requirements.
The PCI DDS is a set of general practices and guidelines set forth by the PCI Security Standards Council (PCI SSC), a non-profit organization that ensures cardholder information (card number, name, expiration date, CVV number) is transmitted, stored and handled securely. PCI SSC sets out the technical and operational requirements for any vendor or merchant that accepts or processes payment transactions, as well as manufacturers and developers involved in the production of devices or applications that are used in these transactions.
How your business proves PCI compliance will depend on how many transactions you process each year, and whether you’re a merchant or service provider.
Merchant Levels
- Level 1: 6 million+ transactions per year; validated by annual audit, plus quarterly scans and penetration tests
- Level 2: 1 to 6 million transactions per year; validated by annual self-attest, plus quarterly scans and penetration tests
- Level 3: 20,000 to 1 million transactions per year; validated by annual self-attest, plus quarterly scans and penetration tests
- Level 4: Less than 20,000 transactions per year; validated by annual self-attest, plus quarterly scans and penetration tests
Service Provider Levels
- Level 1: More than 300,000 transactions per year; validated by annual audit, plus quarterly scans and penetration tests
- Level 2: Less than 300,000 transactions per year; validated by annual self-attest, plus quarterly scans and penetration tests
Annual audits are more involved and complicated than self-assessments. As a general rule, the more cardholder data you have, the more work you’ll have to do in order to properly secure it. However, by incorporating validated end-to-end PCI compliant payment solutions, you’ll be able to streamline your list of requirements to adhere to PCI DDS.
The Gold Standard in PCI Compliant Payment Solutions
Point-to-point encryption (P2PE) and tokenization have emerged as two payment security options that help keep credit card information secure and limit how much data is exposed to the merchant. Let’s define what each means and how adapting them can help alleviate some of the pressures facing merchants especially.
P2PE
This encrypts (protects) payment card data at the point of interaction (POI) device, such as when you slot your EMV chip-enabled card into a reader as the register, until it reaches the secure endpoint where it is processed for payment and validation is returned to the merchant (i.e. payment approved). Encryption converts the card data into an unintelligible form — anyone who intercepts the data after the encryption shouldn’t have the means to revert the data back to its original form.
PCI-approved P2PE solutions have been independently assessed against the PCI Point-to-Point Encryption Solution Requirements and Testing Procedures (the P2PE Standard). An approved solution includes not just the point-to-point encryption, but also validated hardware, software and solution provider environment and processes. Validation is done by a PCI-qualified P2PE assessor.
The PCI SSC also publishes lists of approved P2PE Applications and Components. These may be used as parts of a validated P2PE Solution. If your business is using only a P2PE Application or a P2PE Component listed by the PCI SSC, that does not mean you are using a validated P2PE Solution.
Tokenization
Tokenization secures transactions by replacing payment information with unique identification symbols that retain all the essential information about the data without compromising its security. These tokens allow businesses to provision customer accounts, set up scheduled payments, and manage payment settings without handling sensitive cardholder information each time.
Visual of tokenization process
Tokens use a public and private key to work. The public key allows for token creation, while the private key allows the merchant to issue single or recurring payments. This form of payment security helps ensure cardholder data is stored securely and reduces the amount of times payment information is transmitted over the Internet.
Tokenization is gaining in popularity. The use of digital wallets and QR codes are just two examples of the technology in action that are gaining traction. Also, you can set up tokens in a variety of ways: You could have a token set up from your smartphone, a smart watch or even your car that can then provide payments to one specific vendor or several.
Why Should I Use PCI Compliant Payment Solutions?
When correctly implemented, using a PCI SSC listed P2PE solution — installed in the PCI manner, adhering to the PCI manual and vetted by a PCI approved auditor — offers several benefits:
- Lowers the risk of payment card data loss: Data is encrypted at the POI and cannot be decrypted in your environment
- Reduces the extent of your PCI DSS assessment scope: You can consider any connected point-of-sale system, your network and other components/devices sharing that network to be out of scope
- Simplifies PCI DSS compliance: Fewer applicable PCI DSS requirements, simplified compliance assessment, and a potential reduction in the cost of maintaining compliance.
Consequences of Forgoing PCI Compliant Payment Solutions
For many retailers, the effort to continue to deploy PCI compliant payment solutions are hampered by budget constraints, constantly evolving payment technology — and over the last two years, the worldwide pandemic. Merchants are asked to process card payments in more ways — in store and online — and must still be able to secure that data and meet PCI requirements. Many have to do all of that with potentially less funding because of the economic downturn hoisted upon everyone from COVID-related issues.
But failing to meet PCI compliance also comes with steep costs. For example, one major U.S. retailer exposed the payment data of 70 million customers.
Top retail data breaches
What Happens If I Fail to Comply?
In the event of a data breach, the damage done due to a non-compliant payment system can be significant.
-
Fines: After a breach, non-compliant websites can be forced to pay hefty fines by regulators
-
Suspension of credit cards: If you experience a data breach, PCI regulators can revoke your ability to accept credit card payments
-
Mandatory forensic examination: You may be required to undergo an expensive and time-consuming forensic examination with an approved PCI Forensic Investigator (FSI)
-
Liability for charges of fraud: It’s possible that you will be liable in a fraud lawsuit if your customers’ sensitive data has been stolen
-
Credit card replacement costs: The cost of reissuing credit cards (including shipping, communication, and activation) may be passed onto you by card issuers
-
Notification and credit monitoring: You may be required to inform all customers of a security breach, as well as provide affected customers with credit monitoring services
-
Reassessment for PCI compliance: Finally, you may need to undergo a complete PCI reassessment to regain the ability to accept credit cards
TRG Delivers Payment Security Solutions
At TRG, we’re committed to ‘Making Technology Simple’ — specifically within enterprise mobility, point of sale and payment processing solutions. TRG’s payment security is powered by MRK Technologies, a sister company of TRG under the TruWest Companies umbrella. MRK Technologies brings decades of experience, and the people, process and procedure to deliver unparalleled results.
Our combined portfolio of experience and expertise provides us with the credentials to implement the PCI compliant payment solutions you need:
TRG also works as an extension of your team to provide a suite of solutions to monitor, advise, alert and respond to information security threats 24/7/365. With TRG, you don’t just get recommendations and security product suggestions — you get direct access to the collective expertise and experience of our seasoned information security professionals.
With the industry’s most comprehensive suite of lifecycle management services, we offer other services like our Unified Endpoint Management (UEM) Support to help you fully optimize your enterprise mobility program across a broad range of devices and operating systems. Our Onsite Services are tailored to each customer’s requirements and are backed by our expert technicians.
Connect with TRG to learn more about implementing PCI compliant payment solutions to protect cardholder data and efficiently address your compliance assessments.