Payment Card Industry Compliance: What Non-Profits Need to Know

Stories about security related to payment cards are increasingly common in the media. Recently, we’ve heard about the theft of consumer data at big box retailers like Target and Home Depot. In our wired world, consumers and merchants alike are increasingly focused on payment card security. It’s a critical issue as well for non-profit companies that depend on donations and remittance processing to fund their operations.

Launched in 2006, the Payment Card Industry Security Standards Council (PCI SSC) is a global forum that develops, manages, educates and raises awareness of PCI security standards for data, payment application and PIN transactions. It is responsible for managing security standards, while compliance is enforced by the payment card brands – primarily MasterCard and Visa, and to a lesser extent American Express, Discover and JCB.   

One of the PCI SSC’s programs, the Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded payment cards. It was created to increase controls around cardholder data to reducefraud. The program includes 12 requirements to ensure a secure payment environment within three areas: assessment, remediation and reporting.

While the PCI DSS program has no legal authority, it serves as a “watchdog” for payment card transactions, determining best practices and setting rules and regulations for everything related to card handling including hardware, software, the treatment of card data, the length of time cards can be used, etc.

Whether you maintain control over your own remittance processing or rely on a vendor to manage it for you, there are some important Payment Card Industry (PCI) compliance issues you should be aware of. What you don’t know can hurt you.

Here are the top four areas to consider when assessing your service provider’s (such as Merkle RMG) PCI compliance:

1. Verify that your service provider is listed on the member payment card websites as being PCI compliant. It takes just a few clicks of your mouse to log on to the Visa or MasterCard websites to confirm this important information. Make sure that the entry for your service provider actually lists “PCI DSS” on the card brand sites – there are other validations that can be listed, and they do not necessarily mean that the service provider is PCI DSS compliant.

2. Understand what compliance level your service provider is currently associated with. There are four levels and the volume of transactions processed, along with the amount of exposure determines the appropriate level. The level of rigor associated with compliance is highest at Level One and lowest at Level Four.

• Level One – over 6 million transactions processed a year. (Organizations at this level are required to go through specific assessment processes for compliance including quarterly scans, yearly scans, yearly vulnerability/hacking attempts, and a yearly on site audit – all performed by external companies that are approved by the PCI SSC. Level One is the recommended level, and is REQUIRED for any service provider handling the processing of cards on behalf of someone else, regardless of volume.)

• Level Two – 1 million to 6 million transactions processed a year.

• Level Three – 20,000 to 1 million transactions processed a year.

• Level Four – 20,000 transactions or less processed a year. (These are typically smaller businesses with a single processing terminal.)

Service providers who have achieved compliance at levels two, three or four by performing self-assessments aren’t actually meeting their obligations under the PCI DSS, nor are they fulfilling the intent of the standard.

3. Request an audit report summary, called an Attestation of Compliance (AoC) from your service provider to verify that they are compliant. Compliance is an on-going process, not a one-time event.

As noted above, the PCI SSC trains and certifies organizations to assess and validate adherence to their standards. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (RoC) for organizations handling large volumes of transactions (Level One), or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes (Levels Two, Three and Four). While it is not typical for an organization to share their RoC due to confidential information that might be contained in it, the AoC acts as the non-confidential summary of the overall assessment. 

4. Make sure your operation is processed at the correct level. As a non-profit, it’s important that you determine for yourself what level your organization should be compliant at. Service providers may feel that a lower level is acceptable and it may be less costly, but you must consider the level of risk you are comfortable assuming based on the services they are providing to you – their compliance impacts your compliance. Level One offers the best protection and ensures that you are taking every precaution the industry expects you to in order to lower your risk exposure. It’s also good business practice to provide the highest level of compliance.

A new version of the PCI DSS, version 3.0, is now available and will become mandatory beginning January 1, 2015. You should confirm with your service provider that they will be working towards compliance with the latest standard as soon as possible. Version 2.0 will remain active until December 31, 2014, to allow time for transition without risking non-compliance.