Payment card industry compliance gives your consumers confidence that your business follows security measures. Consumers need to know that every time they make a credit card payment, their card number is secure. When you purchase something online or on the phone, you have the same expectation. While it’s an often overlooked (or ignored) piece of the compliance puzzle, it shouldn’t be. One slip-up in security could lead to a breach of sensitive data.
A data breach will hurt your company’s image. It can destroy the trust you have built–and may put you out of business. That’s why companies like to let their payment processor do the heavy lifting. Using a Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliant credit card payment processor reduces your compliance requirements. You are only required to complete the annual self-assessment questionnaire.
Have you ever wondered what work your processor does to maintain PCI DSS Level 1 compliance? What they do to keep your consumer’s sensitive data safe?
PCI DSS External Audit
PCI Level 1 compliant businesses must pass a yearly on-site audit conducted by a qualified security assessor. The auditor takes this time to conduct on-site interviews and inspect the security processes the business has in place. These include inspecting where and how sensitive data is stored, and conducting interviews with employees about standard operating procedures.
“They want to attest to the fact that we are continually following guidelines,” says Ed Bills, PDCflow’s Chief Technology Officer.
Processes and Internal Controls
The once-yearly audit is important for renewing a compliance certificate. But the real work for PCI compliance takes place daily. Here are just a few of the ways we at PDCflow maintain Level 1 compliance to keep sensitive data secure:
Internal scans are used to ensure our systems are free from vulnerabilities. Frequency of these scans is the key. PDCflow runs daily and weekly scans to continually monitor system security.
Third party penetration testing is also useful to monitor system health. Hiring an outside party to look for weaknesses takes advantage of someone with a neutral perspective.
Rigorous Change Control
Rigorous change control means that PDCflow’s infrastructure and development teams follow a strict process. Nothing is changed without approval. Approvals help to catch any potential problems that could accompany a change, preventing unwanted outages which impact customers.
Uptime, anomalies and access logs are all monitored. Keeping track of all these components allows any abnormalities to be detected and tended to immediately.
Protecting Card Data
A responsible payment processor will use encryption to secure any sensitive data that comes into its system. PDCflow encrypts credit card data both at rest and in transit for consumer safety.
Secure Entry Overlay
In addition to the routine scans and policies that keep our system compliant, PDCflow offers an extra layer of PCI protection. Our Patented Secure Entry Overlay technology allows businesses to provide a seamless credit card payment process to consumers.
This technology overlays a PCI certified website over a company’s site when credit card payment information is keyed in. The sensitive data never enters the company’s site. This frees them from encryption, tokenization and storage–and the PCI responsibilities that go along with such tasks.
While Level 1 compliant companies must be audited annually, the goal of PCI compliance is a year-round job. “You set up the process, follow it throughout the year, and that is what keeps you compliant,” says Bills. There’s no quick fix for getting certified if you’re not constantly working towards that data security goal.
Merchant PCI Compliance Responsibility
Want to know your responsibility when it comes to PCI compliance? Download the PCI compliance guide: