Payment Card Industry Data Security Standard specifies the minimum requirements of security for software vendors, merchants, or any organizations that process or transmits credit card data. Either you are directly dealing with payments or using a third-party payment processor, compliance is mandatory otherwise you will be banned or pay monthly fines. In order to accept the credit card payments, you need to use PCI compliant hosting and other PCI requirements that are discussed in this article.
You will also understand the complete process of making online payments using credit cards, merchant PCI DSS levels, quality assurance techniques and many more.
What is PCI DSS?
PCI DSS is short of Payment Card Industry Data Security Standard that is a set of security standards formed by Visa, MasterCard, JCB International, Discover Financial Services, and American Express in 2004. These standards are governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme having aims to prevent data breaches and making secure transactions of credit and debit cards.
Overview of PCI Security Standards
PCI security standards are a set of rules and guidelines for any organization that stores or processes the cardholder data. The technical requirements are well-defined for three main sectors; software vendor/developers, manufacturers, and acquirers (merchants, or service providers). Issuers or service providers are the most vulnerable group when it comes to consumer data loss. It is also necessary to use PCI compliant hosting for the websites that involve online payment processing.
All these three security standards are related as you can view the following section:
a. PCI Data Security Standard (PCI DSS)
This is the core component and specially designed for vendors or merchants. It has several controls and methods that are necessary to be in place for the protection of cardholder data.
b. Payment Application Data Security Standard (PA DSS)
This is especially for software vendors, developers, or organizations that develop and sell software for processing the payment. Only the secure and approved payment processing is used in the software application.
c. Personal Identification Number (PIN) Transaction Security Requirement (PTS)
This security standard is for manufacturers of payment processing devices that businesses use at POS (Point of sale). It is necessary to use the devices that better comply with PTS.
What are the Merchant PCI DSS Levels?
Keep in mind, the PCI guidelines are necessary for all parties that are involved in this complete process. Merchants PCI DSS is divided into four levels that are differentiated on the basis of annual transactions. The details may vary according to the credit card company but you can get an overview of basics.
This level is for those merchants or vendors that process more than 6 million transactions per year and experienced a cyber-attack that resulted in the compromise of cardholder’s data. Because of the huge volume of their transactions per year, they need to carry out additional measures to safeguard their processing system. They will use the PCI compliant hosting in order to maintain the required security. Every merchant at this level should complete an annual internal audit and conducts quarterly PCI scans to assess vulnerability. Don’t forget to check the latest requirements before setting procedures.
Merchants that process 1 to 6 million transactions per year are categorized in this level. They should complete an annual risk assessment using SAQ and conduct quarterly PCI scans to spot weak points.
This category is referred to those merchants who process 20,000 to 1 million transactions per year. They should complete an annual risk assessment using SAQ (Self-Assessment Questionnaire) and conduct quarterly PCI scans in order to fulfill vulnerability requirements.
This level is for those merchants who process less than 20,000 e-commerce transactions per year and for those who process less than 1 million e-transactions per year. They should also complete an annual risk assessment using the Self-Assessment Questionnaire (SAQ) and conduct quarterly PCI scans to keep compliance up to date.
Every Credit Card Transaction is based on Following Participants
It is the person having a credit card of any bank either he can “transactor” who repays all the credit balance or “revolver” who will repay only a portion of the balance while the rest accrues interest.
This is the online store or vendor who sells products or services to any cardholder and accepts the credit card payments. The merchant requests the issuing bank to pay his charges from the account of the cardholder.
The authority responsible for receiving payment authorization requests from the merchant side and sending all the requests to the issuing bank using a proper channel. It then transmits the response of issuing banks to the vendor or merchant.
It is a third-party entity that provides a device that is used to accept credit cards as well as sending credit card payment details to CCD (Credit Card Network) and give a response to acquiring bank.
Credit Card Network (CCD)
CCDs operate the networks that process credit card payments all over the world and govern the interchange fees. CCDs like Visa and MasterCard receives the details of credit card payments from the acquiring processor and forwards the authorization request to the issuing bank. CCD is also responsible for sending the issuing response back to the acquiring processor.
This is the bank or any financial institution that issued the credit card to cardholders. This institution accepts or rejects any transaction request received by the CCD.
Credit Card Transaction Process
Credit card transactions are processed through a variety of platforms, including brick-and-mortar stores, e-commerce stores, wireless terminals, and phone or mobile devices. The entire cycle — from the time you slide your card through the card reader until a receipt is produced — takes place within two to three seconds. Using a brick-and-mortar store purchase as a model, we’ve broken down the transaction process into three stages (the “clearing” and “settlement” stages take place simultaneously):
Credit card transactions are made by different e-commerce online stores, mobile devices, etc. and the process begins when you slide your credit card in a card reader until you receive a receipt. It usually takes only 2 to 3 seconds to perform this complete payment process. This entire cycle is divided into three main stages: Authorization – Authentication – Clearing & Settlement.
Stage 1: Authorization
In this stage, the merchant or vendor needs approval for payment from the credit card issuing bank.
The cardholder gives the credit card to the vendor/merchant at the (POS) point of sale. The merchant swipes the card into the POS terminal and all details of the payment are sent to the acquiring bank using the internet. Then the bank forwards the details to the CCD (Credit Card Network).
The CCD clears the payment and make a payment authorization request that includes the following:
- Credit card number
- Expiry date
- Billing address
- Card security code
- Payment amount
As you can see in the picture give below:
Stage 2: Authentication
Authentication is necessary for any online transaction and made by checking credit card validity using different fraud protection tools like AVS (Address Verification Service), card security codes and CID.
Then financial institution or issuing bank will receive the payment authorization request from the CCD and validates the card number, checks the account balance, verify the billing address, and validates the CVV number. The issuing bank approves, or rejects the transaction and sends back the response to the vendor/merchant using the same channels: CCD and acquiring bank.
Once the merchant receives the authorization, the financial institution will place a hold in the amount of the purchase on account. The POS terminal will collect all approved authorizations in a “batch” at the end of every business day. After receiving the authentication the customer will receive a receipt to complete the sale as you can view the complete process in the picture given below.
Stage 3: Clearing & Settlement
In this stage, the transaction is posted to both the merchant’s statement and cardholder’s monthly billing statement simultaneously.
At the end of every business day, the merchant will send all approved authorizations to the acquiring bank. The acquiring process will forward all the information to the CCD for settlement. In the end, each approved transaction will be forwarded to appropriate banks form the CCD. Usually, this process begins within 24 to 48 hours of the transaction, the financial institution will transfer the funds less an “interchange fee,” which it shares with the CCD. The acquiring bank will receive the respective percentage from the remaining funds.
The acquiring bank transfers the amount to the merchant’s account for particular purchases, less a “merchant discount rate.” Now, the transaction information will be posted to the cardholder’s account and he will pay the bill after a specified time period. As you can see the complete process in the picture given below.
How can you Secure Cardholder’s Data?
PCI Security Standards guidelines suggest two methods for fixing any loopholes in the process to ensure the safety of cardholder data.
Following are the main processes used to fix the loopholes:
Integrate software, hardware, third-party services and PCI compliant hosting to form a secure application that will protect the cardholder data.
Security is a vital part of any online business, so use comprehensive methods and procedures for making your system optimally free of vulnerability.
It is equally important for all organizations that are dealing with online payment transactions or having confidential data to prevent malware and viruses in order to prevent data breaches. Always use approved and trusted antiviruses, keep them active, up to date, and continuously read the log files.
Why PCI Compliant Hosting?
Most of the online businesses need to fulfill PCI compliance requirements but they don’t have experience and skills to build PCI compliant systems from scratch. They need a third-party PCI Compliant hosting provided by best hosting providers such as Temok has the professional team and infrastructure to achieve compliance without any difficulties.
Why am I referring to PCI compliant hosting provider? Because they take care of your server and provide network security as well as physical security. They deeply understand the importance and requirements to deliver a system that complies with PCI DSS. It is very tough for any organization to hire different expert employees for each task separately that is associated with your server and security.
Although PCI compliant hosting is mainly used for online stores or businesses that involve the online payment processing systems, it is equally useful for other types of businesses that need to protect their confidential data.
PCI DSS Requirements
Maintain a Secure Network
- Install and maintain a firewall
- Change Default passwords and increase the complexity
Protect cardholder data
- Protection of cardholder data must be your first priority
- Always use encrypted communications over public networks
Vulnerability Management Processes
- Install anti-virus software and keep updated on a regular basis
- Develop secure systems or applications and proper maintain
Strong Access Control
- Restrict the access to cardholder data using need-to-know basis
- Assign a unique ID to each user having computer access
- Physical access to cardholder data must be restricted
Monitor and Test Networks
- Keep the track of all access to data and network resources
- Security systems should be updated and tested on a regular basis
Information Security Policy
- Define a policy that addresses information security for employees and contractors
Implement Quality Assurance Process
It is necessary for any website to check the required functionality in order to give a better experience. But when it comes to online businesses where online payments are processed, you can never ignore the security and regulations in order to receive payments via cards for the services or products you are providing. Online payments made by credit cards are come under the PCI DSS regulation and following is the summary of major compliance requirements:
- Build a secure network and use PCI compliant hosting
- Protect cardholders and consumers’ critical/confidential information
- Use a reliable anti-virus to prevent vulnerabilities
- Set up an access control mechanism
- Regularly monitor and test your system
- Follow a comprehensive information policy
POS (Point Of Sale) can be utilized that normally don’t store/hold the consumer data or use third-party payment processing systems. Every business should be responsible for consumer data and the website needs to be more secure during payment processing within the following areas:
1. PCI Compliant Hosting
Every payment processing website should use SSL certificates and reliable PCI compliant hosting servers. Few organizations are trying to reduce their expenses and use shared web hosting services but every financial institution or online payment processing website should use dedicated servers. Before choosing any hosting provider make sure their hosting server, shopping cart, and hosting plans are according to the PCI standards.
2. Shopping Cart
You are not only protecting the client’s data but must also protect your online business. Select a reliable and reputable shopping cart software that is PA DSS compliant. It will help you to protect the confidential data by blocking malicious attacks.
Conduct technical trainings for your staff and provide the proper guidelines, so that they help you to prevent from data breaches. Make sure that you are using a dedicated server and all devices either wireless or wired are connected with this server. Keep your main server up-to-date and install reliable antivirus software and firewalls.
In short, every merchant or organization accepting credit cards and dealing with online payments should follow the PCI DSS standards. PCI compliance hosting is very expensive if you build it in-house environment, so it is a better approach to get from hosting providers. In order to get more details about PCI Compliant hosting you can contact us for free consultation.