Our previous article, Making sense of PCI DSS for online stores, introduces us to the 12 PCI DSS requirements and aligned them to their respective 6 objectives. While we focused predominantly on online stores, the PCI DSS standards apply to all businesses involved in the collection, storage and processing of credit card information, including the company selling the goods / services.
Whether its your favorite food truck vendor, automotive detailer or favorite online market place. PCI DSS standards do not discriminate, and “I don’t know” will not help post-compromise.
The Payment Processing World
Here is a high-level view of what payment ecosystems look like in the 21st century (source: business insider):
Every business that is part of the payment processing supply chain fits somewhere into the matrix, and must be familiar where their respective scope and responsibility as it pertains to PCI compliance.
The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process or transmit cardholder data or sensitive authentication data.”PCI DSS v 3.2.1
Remember, PCI is wholly focused on protecting the entire payment card processing supply chain, and the business providing the service and good is a critical piece of that puzzle.
Your Organization Type Defines Your Responsibility
So you want to accept payment from customers, but what / who is involved in that process? More specifically, who does what?
The following table below provides a simplified explanation of four key organization types every business should be familiar with if they want to accept customer payments:
|Merchant||A merchant is any type of business who sells goods or services. Credit cards are the most common payment method used for these transactions.|
|Payment Processor||Manages the credit card transaction process. Processors can authorize transaction and works on merchants getting paid on time by facilitate transfer of funds.|
|Acquirer||This is the financial institution that maintains a merchant’s account in order to accept credit cards. Sometimes the payment processor and the acquirer are the same.|
|Issuer||This is the cardholder’s bank, responsible for paying the acquirer for approved card transactions and collecting payment from cardholders. he issuer, also known as the account issuer, or issuing bank, is the bank or financial institution who offers the credit or debit card to the consumer. They underwrite the cardholder, set the credit limit, and issue the card agreements.|
It’s important to differentiate between the four key categories of the payment supply chain so that you can understand where you organization fits. Knowing where your organization fits will help reduce the scope of responsibility for your organization.
The key to successfully complying with the PCI standards is to clearly define your scope, failure to do so can leave you extremely exposed. If you are a merchant, this means that as an organization you don’t want to overlap with any of the other key categories. You do this by deferring the risk associated with the collection, storage and processing of any card data.
You reduce scope by identifying where and how data with card holder information flows through your network and systems. In an ideal world you DO NOT want any card holder information to flow through your network and system. This ensures your scope is as minimal as possible. Ways to ensure you do this is by NOT collecting payment information via emails, phones, chats or any other communication medium like tickets and solely using the payment pages and API’s provided by your processors for all payment collections.
Regardless of the type of organization, PCI DSS applies to you if you accept credit card payments.
Tips to Help Consumers and Businesses Reduce Scope and Risk
Trying to make sense of some of this can be tough, to help we share a table of real-world examples that can be treated as triggers for both consumers and businesses alike.
Consumers can use them to asses their own risk (e.g., Do I want to share my data with this merchant?) and businesses can use them to understand how “scope” works with compliance.
|Physical Payment Form||If an organization asks you to fill out a PDF with your credit card information, scan and return it, it’s highly unlikely they are not PCI compliant. As a consumer, be very careful using this method. As a business consider updating your processes so that you can use payment collection forms provided by your processor.|
|No HTTPS||HTTPS is synonymous with online websites these days, while it doesn’t secure the website, it does secure data in transit. If an organization is asking you for payment information via a form that does not have HTTPS they are not PCI compliant. This means they are not taking care of your data as it transfers from your browser to their servers. Businesses that choose to collect this data need to ensure it’s transferred securely, HTTPS facilitates this.|
|Requesting Card Information via Communication Mediums||In 9 out of 10 instances, an organization that is requesting credit card information via one of many communication mediums (e.g., email, chat, phone, text, slack) are not PCI compliant. Many organizations don’t realize that the minute they do this they immediately expand their scope and now introduce a requirement to document and implement controls to secure those platforms (that rarely happens). As a business, do everything you can to train your team not to leverage any medium outside of the payment pages to collect information. This includes phone calls and virtual terminals, the minute you collect information via a sales call, or support engagement, it immediately broadens the scope to the phone service and the machines collecting the data.|
If you have any questions, feel free to let us know at firstname.lastname@example.org.