opinion

3 Ways to Ensure You're Compliant for the Payment Card Industry Audit

3 Ways to Ensure You're Compliant for the Payment Card Industry Audit

While the days and nights of August are hot, our IT team isn’t sweating it — at least not this month, as they’ve finished the annual Level 1 Payment Card Industry (PCI) Audit two months ahead of the deadline. The Level 1 Audit is the deepest dive that a group of outside security auditors will do on a payment system to be sure it’s secure, and it’s a very time-consuming process that occurs every August for us.

In fact, every time our team finishes one audit and we pass, I think they should get to take a break and relax. But the reality is, as soon as they finish one audit, the team already needs to look ahead to next year’s standards. As challenging as it is, the process is designed to help everyone. It’s all about the safety and security of merchants who rely on processors to have the tightest security measures in place to protect consumer data.

Having processes like end-to-end monitoring and analytics, along with metrics and logs across the full stack, are extremely helpful to get a bird’s-eye view of what’s going on in your company.

Depending on which card brands you accept, all merchants processing from one to six million payment card transactions per year and service providers processing, storing or transmitting more than 300,000 card transactions per year are required to be audited for PCI compliance. A Level 1 Audit is also required for licensing in both the U.S. and the EU.

It takes several team members to focus on an audit like this. Every year ours spends countless hours to get ready for the week-long, onsite audit, which is backed with a full stack of policies and procedures that our IT and entire organization follows. Each year, the PCI Security Standards Council establishes new objectives and standards. We’re currently following the PCI 3.2 Audit, but are already setting our sights on the upcoming 4.0 standard. This new standard is based on perceived threats and what processors need to do to avoid them.

As we began our focus on next year’s audit, we sat down with our IT Director to carve out the top three ways to stay ahead of the game for the 2021 PCI Audit, and hope it will help you narrow down what to focus on too.

Become a Cyber Security Champion

One of the most important things to work on is cyber security and protecting yourselves. You must be proactive and not reactive, especially when mitigating issues before they have an impact on a business. Think of it as a series of locked doors or barriers that you must go through to get into general systems. It takes many doors to get into our network, because like many processors, we use a content delivery network (CDN), which uses a geographically distributed group of servers working together to provide the fast delivery of internet content.

The CDN basically is a cloud application that adds a layer of protection on all transactions that pass through it, including our merchant portal or other loaded internet content like HTML pages, JavaScript files, stylesheets, images and videos. By implementing these security barriers as designated endpoints per web application, you’re providing a level of security that ensures a company’s web application firewall (WAF) rules are based on the web application’s needs.

Strengthen Standard Operating Procedures

You may have noticed that when logging into your bank account, there is a request for an additional code or password. It is now a requirement for all business line applications to implement a dual-factor authentication (DFA), which is a second layer of security requiring a user to go beyond presenting a username and password. It doesn’t have to be just for banking accounts either. We’re looking at implementing this to all our apps and other programs inside the office to increase security. It’s something that’s becoming very common in the industry as an added layer of strength and stability.

Knowledge is also a security strength and developers can stay on top of the latest secure coding practices through the Open Web Application Security Project (OWASP). This free and open security community offers products freely like articles, mythologies, documentation, tools and technologies in the field of web application security. It’s a great resource and tool to help make sure security is built in from the start.

Our company takes advantage of online security training yearly with some members of the team training on a monthly basis. Even the end user can help with security awareness by knowing there are security risks based on their actions. We send out regular reminders of current malicious cyber activity to our staff warning them about what they should look out for. You can access this type of information through the Cybersecurity and Infrastructure Security Agency website. They provide national cyber security system alerts highlighting incident reports, vulnerabilities and announcements. By keeping the line of communication transparent our staff can be aware of what to watch out for.

Make the Most of Monitoring and Controls

You want to make sure you see the full picture of your infrastructure’s health to stop security issues before they happen. Having processes like end-to-end monitoring and analytics, along with metrics and logs across the full stack, are extremely helpful to get a bird’s-eye view of what’s going on in your company. Our IT team forces updates instead of waiting for me to update them. This keeps us ahead of any potential issues and we’re able to solve them before the end user is impacted. Staying up to date on hardware and software provides an edge on the latest application and system services, such as Cyphers. Payment processing and cardholder data (CD) is any personally identifiable information associated with a person who has a credit or debit account. One of the main goals of PCI Data Security is to protect cardholder data that is processed, stored or transmitted by merchants. That data should always be on a separate domain and/or provider for maximum security.

While this process is very time consuming, it’s also very necessary to protect the health and safety of a merchant’s business. Failing to be PCI compliant can cost you in fines ranging between $5,000 and $500,000 and you could face serious consequences. If you’re not PCI compliant you could lose your merchant account- meaning you won’t be able to accept credit card payments at all. Every year the process seems overwhelming, but a skilled IT team can pull this together. I’m proud of ours for their dedication in getting this done year after year — and if you find yourself stuck, we’re here to help, just ask.

Cathy Beardsley is president and CEO of Segpay, a global leader in merchant services offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are always safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More