Solutions

MBC Alliance ProgramMBC Alliance ProgramMBC Alliance Program
Have Questions? Drop us a line or give us a ring: 877-MILOSOXHave Questions? Drop us a line or give us a ring: 877-MILOSOX

Credit cards equals PCI.

That is about as simple as it gets. Any organization that accepts credit cards is required to be compliant with PCI DSS. The scary thing is that many companies have never heard of PCI, much less PCI DSS. The alternative is not pretty – very large fines and possibly loosing the ability to take credit cards.

To give you a quick backdrop, the credit card brands (Visa, MasterCard, etc.) created the PCI Security Standards Council in an effort to reduce the risk of customer credit card information from being stolen or compromised. The end result is that anyone who accepts credit cards must comply with the PCI compliance standards (PCI DSS). As you would expect, there are different levels of compliance based on the number of credit card transactions processed each year.

The good news is that Milo Belle is here to help small businesses and organizations navigate PCI compliance.  After we determine which compliance bucket you fit in, we will deploy the appropriate plan to ensure compliance. We will worry about ASV’s, QSA’s, and PCI DSS – you worry about managing your small business.

In a nutshell, PCI DSS compliance boils down to 12 high-level requirements. Each of the requirements (which you can find listed in our Blog section) also has an underlying set of controls and/or processes to be addressed. Those controls are not new, in fact, they are standard security measures that companies should have been following all along anyway.

To validate compliance, merchants are required to do a few things, based on the number of credit card transactions processed annually.

Level Merchant Definition Requirements
Level 1 6,000,000+ transactions Annual Data Security Assessment; Quarterly Scans
Level 2 1,000,000 - 5,999,999 transactions Annual Self-Assessment; Quarterly Scans
Level 3 20,000 - 1,000,000 e-commerce transaction Annual Self Assessment; Quarterly Scans
Level 4 Less than 1,000,000 transactions and less than 20,000 ecommerce transactions Annual Self Assessment; Quarterly Scan

PCI compliance is effective RIGHT NOW – not some time in the future. So, right now is a good time to click the red ‘Drop Us A Line’ button in the upper right. We will give you a call back and consult you through the PCI puzzle.

Ten Common Myths of PCI

(From the group that makes the rules – PCI Security Standards Council)

Myth 1 – One vendor and product will make us compliant.

That would be nice, but it is highly unlikely. The reality is that there is not a single software product that will address the 12 requirements of PCI DSS. There isn’t a silver bullet, and it will take some effort.

Myth 2 – We outsource credit card processing, so we are compliant.

Outsourcing credit card processing may allow you to rely on what your processor does for their own PCI compliance, but that will only solve a couple pieces of the puzzle. There are other things you do (and need to start doing) before and after the credit card processor gets involved, such as protecting cardholder data when you receive it, and processing charge backs and refunds. Not to mention that the applications and terminals need to comply with PCI standards before it is sent out to the processor.

Myth 3 – PCI compliance is an IT project.

No doubt there are aspects to PCI compliance that are IT driven – take your quarterly ASV scan as an example. But PCI compliance is a business-wide issue that involves most of the disciplines in your organization. There is no question that the risks of compromise can be damaging (finances as well as reputation).

Myth 4 – PCI will make us secure.

Malicious security threats are non-stop and getting stronger. PCI compliance is ‘as of’, meaning it is a snapshot of a specific moment in time. Thus, PCI DSS was set up as a continuous process of assessment and remediation, similar to most government regulation enforced by the SEC.

Myth 5 – PCI is unreasonable; it requires too much.

Most of PCI DSS is standard, best practice for security, and does allow using controls that are outside of the standard. One thing the standard does, which scares people who are not familiar with compliance processes, is to give a great level of detail and information of what is expected. The result is what looks like too much, but, as a firm that has done years of work with government regulation compliance  - where almost no guidance is given – trust us, this way is much easier.

Myth 6 – PCI requires us to hire a QSA (Qualified Security Assessor)

Most large merchants, especially those with complex IT environments, will need a QSA. However, mid-sized and smaller merchants can utilize a self-certification process, and thus don’t need a QSA.

Myth 7 - We don’t take enough credit cards to be compliant.

PCI compliance is required for any business that accepts payment cards – even  if the quantity of the transactions is just one.

Myth 8 – We completed an SAQ so we are PCI compliant.

Well, yes and no. The SAQ (Self Assessment Questionnaire), combined with the security scan, usually means compliance ‘as of’ that date. However, whenever anything changes within the system, everything changes, thus the need for constant assessment.

Myth 9 – PCI makes us store cardholder data.

Actually, that is the opposite of what PCI looks for. In fact, storing of cardholder data – whether by design or accident – is not allowed. If it is necessary, there are a separate set of rules you must follow to make sure the data is safe.

Myth 10 – PCI is too hard.

Understanding and implementing the 12 PCI DSS requirements seems daunting – especially to smaller companies. Keep in mind that these are basic security measures, and not punishing rules. Also, keep in mind when it comes to cost that PCI noncompliance can be vastly more expensive than compliance.