What Does It Mean to Be PCI Compliant?
September 23rd, 2019

PCI compliance refers to adherence to a set of rules known as the Payment Card Industry Data Security Standard (PCI or PCI DSS for short). Basically, these standards are the best practices the industry has to offer for keeping customer information secure. These were originally created in 2004, but have been evolving and expanding ever since.

It’s fairly common to hear about major breaches of customer information nowadays. Of course, you don’t have to be a multinational corporation to be vulnerable to these sorts of attacks. Any business, no matter how small or large, can be a target. That’s why following the PCI DSS is so important.

All Sonder Payments members are required to adhere to the PCI DSS. Merchants who are unable to prove their compliance will be assessed a PCI non-compliance fee of $19.95 per month. In order to avoid this fee, members must complete a self-assessment questionnaire (SAQ) once per year. You can request further information on the SAQ by calling your support representative or emailing support@sonderpayments.com.

What Does Compliance to PCI DSS Entail?

Unfortunately, the answer to this question isn’t as simple as you’d hope. Really, it depends entirely on your business’s transaction volume and methods of accepting cards. There are eight different categories your business can fall under, each with its own set of standards. We won’t discuss them all here; there’s really no use in knowing the details of each category. What you really need to know is the basic, universal components of PCI compliance:

1. Build and Maintain a Secure Network and Systems

This sounds fairly complicated, but it’s not. Basically, you just need to make sure that the software you use for accepting payments is password-protected and that there aren’t roundabout ways to access the information stored there. If you’re using a Sonder Payments software to store card information, you shouldn’t have to worry much about this. Just make sure you have a strong password that is different from the default password given to you by Sonder Payments.

2. Protect Cardholder Data

Once you have received a customer’s card information, merchants are required to protect stored data and encrypt cardholder data when transmitting it across open, public networks. These requirements can be met by limiting cardholder data storage and retention time, purging unneeded records, not storing sensitive authentication data, and masking the primary account number. Again, most of these requirements will be met simply by using the software provided by Sonder Payments and refraining from sharing cardholder information via other channels.

3. Maintain a Vulnerability Management Program

To maintain PCI compliance, you should be actively monitoring your systems to ensure that there are no vulnerabilities. In most cases, this is as simple as using and regularly updating anti-virus software on your network.

4. Implement Strong Access Control Measures

If you’re storing cardholder information, there should be strict rules on who can access that information. Those who have no reason to access this data should not have a way to access it. And for those who need access to it, each individual should have and use their own access credentials. You shouldn’t have one login used by multiple individuals, otherwise, the source of a breach can be much more difficult to locate.

5. Regularly Monitor and Test Networks

Similar to requirement three above, it’s wise to continuously check your systems to ensure that they’re running as intended. Sometimes updates to software can make systems incompatible or poke holes in your armor. By constantly testing these systems, you can catch any vulnerabilities before outsiders do. In addition, you should regularly track who has accessed data and for what reason — keep an eye out for suspicious activity.

6. Maintain an Information Security Policy

Just like a dress code or employee code of conduct, an Information Security Policy should be shared and understood by every employee of your company. Each individual should understand their role in keeping customer information safe — it’s not a bad idea to incorporate this into new employee training. Make sure to inform your employees of a process for reporting violations to the Information Security Policy as well.

These are just the six most basic requirements for PCI compliance. If you’d like a more detailed explanation of these requirements, they are available in the PCI DSS Quick Reference Guide. Most Sonder Payments members are PCI compliant by nature of the software we provide for their use, however, you are still required to complete the SAQ to confirm that policies and procedures are being properly followed.

If you have further questions about PCI compliance, feel free to contact support@sonderpayments.com. We’re happy to help you achieve compliance or answer questions about systems and processes involving customer information.