Automatically monitor regulatory updates to map to your internal policies, procesures and controls. Learn More

1558 Enforcement Actions in the U.S. over past 30 days


FTC enforcements decreased 55% over the past 30 days


SEC issued enforcements: $37,812,859 over the past 30 days


50 Final Rules go into effect in the next 7 days


49 Mortgage Lending docs published in the last 7 days


1670 docs with extracted obligations from the last 7 days


new Proposed and Final Rules were published in the past 7 days


11906 new docs in within the last 7 days


Considering RCM Solutions?  Here’s an RFP to get started.

Payday PCI Blog

How is your payments security looking these days? If your answer is “not great”, embrace these strategies.

The Payment Card Industry (PCI) compliance protocol is now 14 years old and with the expansion of corporate (and individual) payment options over the past decade, companies would do well to measure their payment compliance success. 

If that evaluation finds your PCI protocol compliance is lacking, it’s also high time you took the steps needed to ensure your payments operation is 100% compliant.

Here’s a checklist to ensure your payments system is compliant and that it fully adheres to CPI regulatory requirements.

PCI compliance explained. Basically, PCI compliance means meeting the regulatory mandates laid out by the PCI’s Security Standards Council. 

That council is composed of representatives from top-tier credit card firms, including Visa, MasterCard, Discover, American Express, and JCB International. Each company has a say in enforcing the PCI Data Security Standards. If you’re not PCI DSS compliant, then your company isn’t payment compliant.

The cost of PCI non-compliance. If you’re not handing company payments (i.e., credit cards, debit cards, ACH payments, and other electronic payments) properly, you’re risking big fines. 

For example, if your firm isn’t PCI compliant and you suffer a data breach or other system security breakdown, non-compliance penalties can run up to $500,000. In addition, non-compliant companies risk having their merchant accounts suspended, which means your company can’t accept credit card payments. Under rules covering the Visa/Mastercard Terminated Merchant File rules, it may take years to have your merchant accounts up and running again. For most companies, that’s enough to put them out of business.

PCI Compliance Structure. Overall, PCI payments compliance includes four clearance and category levels, numbers one through four. 

Level 1. This level is dedicated to larger corporations who handle heavy payment loads (a minimum of six million payments annually.) Level 1 includes big-box retailers who deal with heavy consumer payment volumes, with each one having to pass a quarterly PCI compliance audit.

Level 2. Level 2 companies handle between one million and six million payment transactions annually. Aside from quarterly audits, a Level 2 company may also be required to conduct an annual payment security risk assessment on a once-annually basis.

Level 3. Level 3 companies handle between 20,000 and one million payment transactions annually. This level also requires quarterly PCI audits and also mandates that companies undergo an annual risk assessment using the PCI Self-Assessment Questionnaire (SAQ).

Level 4. Level 4 companies are at the smaller end of the scale, payment compliance-wise. The level is designated for companies that handle under 20,000 ecommerce transactions and less than one million additional transactions annually. A Level 4 company must also complete an annual PCI-SAQ evaluation and may also have to undergo a quarterly compliance audit.

Three Ways to Improve PCI Compliance

With awareness of the payment compliance responsibilities and what’s at stake on the PCI regulatory front, here are several action steps that, when taken, can improve your company’s payment compliance efforts.

Study the actual standards used by regulators. The PCI Security Standards Council offers companies a thorough list of security standards (find the list here).

On the list, compliance officers can review a general compliance action along with actions to clear the general payment compliance hurdle. 

For instance, the standards list includes this “general” compliance requirements along with helpful steps in complying with it.

General compliance requirement: Build and Maintain a Secure Network and Systems.

Actions to fulfill the requirement

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Don’t use vendor supplied defaults for system passwords and other security parameters.

The PCI Security Standards Council list also includes sections on protecting cardholder data, maintaining a vulnerability management program, and implementing strong access control measures, among other compliance items.

Reduce your payment compliance scope. Proceeding on a successful payment compliance path means knowing the lay of the land. After all, compliance officers won’t secure payments if they’re not aware where the biggest vulnerabilities lie. 

That’s why it’s imperative that compliance officers know what consumer data their company holds, how and where that data is stored, and which company personnel, consultants and business partners have access to that data. Additionally, it’s a good idea to separate your company’s cardholder data environment from the rest of your payment network. That aids in curbing compliance scope and reduces your vulnerable target areas.

Make payment compliance a regular issue. Proper payment compliance needs to be a regular business activity.

Yes, the PCI compliance structure only calls for quarterly or annual PCI external testing. Yet to clear those testing and auditing hurdles, companies should make specific actions a regular occurrence. Those actions should include:

— Self-testing, self-auditing, and compiling a thorough history of data user lists,

— Applying and monitoring the use of robust passwords, data encryptions, and system security policies.

— Training employees on potential cybersecurity threats.

— Regularly assessing your company’s internal payment security risks.

— Eliminate all unnecessary payment data to protect against potential data breaches.

All of the above should be spokes in an ever-rolling wheel of payment compliance processes. Ideally, team members will come to accept it as part of their daily employment responsibilities.

That not only makes for a stronger PCI payments compliance structure, it also contributes to a more trusting and validating experience for your customers over the long haul.

Tags: , , , , ,