By Sarah Cornelisse
Agricultural and food businesses of all types are increasingly handling a wide variety of data – their own and that of their customers.
All businesses and organizations, including agricultural and food businesses, that accept, process, store, or transmit credit card information must comply with the Payment Card Industry Data Security Standard (PCI DSS). It is key to remember that a business must comply even if credit card data is not stored by the business. Businesses that accept debit and pre-paid cards also fall under the umbrella of PCI DSS if those cards are branded with the logos of associations that participate in the PCI Security Standards Council – MasterCard, Visa, American Express, Discover, and JCB. Credit card brands determine the level of compliance that businesses must adhere to.
Compliance is required regardless of:
- the number or size (value) of credit card transactions that occur.
- whether credit cards are taken in-person, online, or by phone.
- whether third-party payment processors are used.
Some businesses may need to store card data to facilitate recurring billing, for instance for product subscriptions. For these businesses, it is important to know/understand what is defined as cardholder data. This is the full Primary Account Number (PAN) plus any of the following: cardholder name, expiration date, or service code. In addition, sensitive authentication data must also be protected by the business; and this is defined as "Security-related information (including but not limited to card validation codes/values, full track data (from the magnetic stripe or equivalent on a chip), PINs, and PIN blocks) used to authenticate cardholders and/or authorize payment card transactions" (PCI Security Standards Council).
The first step to PCI compliance is to determine the level of compliance that the business falls under. Because each credit card brand sets levels independently – and not all have the same number of levels – a business can fall under different levels. Since most businesses accept more than one brand of credit card, use point-of-sale data to determine the number of transactions for each brand.
Compliance level determines what a business will need to submit for compliance validation. What is required for validation can be further determined through the completion of a self-assessment questionnaire (SAQ). The appropriate SAQ is determined by how a business accepts payment cards. There are nine SAQs, making it crucial to select the appropriate SAQ for the individual business environment. Businesses should consult with their card brand and merchant bank to ensure accurate SAQ selection.
As an example, a farm that sells both through an on-farm retail store and an online store (e-commerce) would most likely need to complete SAQ "D" as five of the SAQs do not apply to e-commerce channels, one SAQ does not apply to face-to-face channels, one SAQ applies only to e-commerce channels, and one SAQ is intended for service providers (businesses should independently verify SAQ selection).
SAQs vary in the number of questions, ranging from as few as 14 to as many as 347. Additionally, not all questions will apply to the circumstances of every business.
Questions on the SAQ are categorized in the following areas:
- Network and systems security
- Protection of cardholder data
- Vulnerability Management
- Access Control
- Network Testing
- Security Policy
Examples of questions include:
- Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each?
- Are security policies and operational procedures for protecting stored cardholder data documented, in use, and known to all affected parties?
- Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks?
- Is access for any terminated users immediately deactivated or removed?
- Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted?
- Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows?
- Is a security policy established, published, maintained, and disseminated to all relevant personnel?
It is not expected that the business owner, or person completing the SAQ, personally knows the answer to each question. Rather, someone should know where to turn to be able to answer the question. For instance, some Point-of-Sale (POS) and e-Commerce platform vendors offer and include PCI compliance support to their customers enabling businesses to turn to them to answer SAQ questions and demonstrate compliance.
Non-compliance may result in several penalties including fines, increased transaction fees, or termination by the business's (merchant's) bank. Of greater concern though should be the damage to a business’s reputation should there be a data breach.
Accepting card payments provide value to customers and opens additional sales outlet options for a business but is accompanied by increased responsibility to ensure the security of the involved data, networks, software, and hardware.Source : psu.edu