Hardware & Software Compliance FAQs
What is Hardware & Software Compliance?
Compliance simply means that all of your credit card processing equipment (hardware and software) meets the requirements set forth by the Payment Card Industry (PCI) Security Standards Council. The council was founded by the five major credit card companies (Visa, MasterCard, Discover, American Express and JCB International) to enforce the PCI Data Security Standards (PCI DSS). To be in compliance, hardware and software must meet the 12 requirements outlined in the PCI DSS, as well as the Payment Application Best Practices (PABP).
What are the consequences of non-compliance?
Noncompliant hardware and software puts you at high risk for a data security breach, in which your customers’ credit card information or other personal information may be stolen or otherwise compromised. If you are out of compliance and suffer a data breach, you could be liable to pay monthly noncompliance fees and fines up to $100,000. Worse, you could lose customer trust, resulting in a bad reputation and the potential loss of your business.
How do I know if my hardware/software is compliant?
The best way to ensure compliance is to have a PCI scan conducted on your credit card processing equipment. PCI scanning checks your operating systems, networks, software and devices for vulnerabilities that could result in a data security breach. Because of the sensitive nature of the data involved, POS systems that are Internet ready may require quarterly scans to maintain compliance. PCI scanning can only be conducted by an approved scanning vendor.
Do I need PCI scanning to maintain compliance?
If your credit card processing hardware/software is Internet ready, or if you electronically store any cardholder data, you may be required to have a quarterly (every 90 days) PCI scan by an approved scanning vendor.
How do I maintain compliance?
Some merchants think of compliance as something they need to do only once, but nothing could be further from the truth. Compliance is an ongoing process of risk assessment to ensure that your business is virtually and physically secure. To maintain compliance, you must protect the two essential elements of credit card processing: your network (the software and operating system you use for credit card processing) and your terminal (the device you use to take credit card payments).
Which credit card processing devices need to meet the standards of compliance?
All of them. Any equipment that you use to process credit card payments must meet industry and government compliance requirements. Terminals must meet specific data security standards for PCI and truncation compliance. PIN entry devices must also meet certain standards, including triple DES encryption.
My credit card processing software is outsourced. Is compliance still my responsibility?
Absolutely. Using a third-party credit card processor does not make you exempt from PCI compliance. The second leading cause of data security breaches is employee error and internal mishandling of sensitive information. This means you are responsible for implementing compliance protocols such as security awareness training. If a data breach occurs, the responsibility is ultimately yours.
I’m already using a compliant payment application. What else is there?
Making sure that your payment applications are in compliance is certainly a best practice, but it’s only one step on the long journey to compliance. The process of compliance is ongoing and covers a substantial list of standards for terminal, network, software and data security.