PCI 3.0
If you are a merchant that accepts credit cards, you need to make sure that you are compliant with PCI standards, which can change regularly. PCI is mandated by Visa, MasterCard, American Express, Discover and JCB and administered by the Payment Card Industry Security Standards Council. The council was formed because each card brand has their own compliance programs (and they still do), but they all use the PCI standard as the foundation for their programs. PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
What is PCI DSS?
The Payment Card Industry Data Security Standard is a set 12 specific requirements to ensure that all companies maintain a secure environment. The goal of PCI Compliance is to ensure that merchants provide the maximum security when processing customers payments or handling cardholder data.
What is PCI 3.0?
According to the PCI Security Council, version 3.0 updates are based on feedback from the industry, per the standards development lifecycle, as well as in response to current market needs. While the changes in version 3.0 were first proposed in 2013, and the updated 3.0 standards came into effect on January 1, 2014, version 2.0 remained active until the end of 2014. Until July 1, 2015, some of the new requirements are considered best practices only, giving organizations time and flexibility to adapt to the changes. Common challenge areas and drivers for change include:
- Lack of education and awareness
- Weak passwords, authentication
- Third-party security challenges
- Slow self-detection, malware
- Inconsistency in assessments
The PCI Security Council states, “The nature of the changes reflects the growing maturity of the payment security industry since the Council’s formation in 2006, and the strength of the PCI Standards as a framework for protecting cardholder data. Cardholder data continues to be a target for criminals. Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today. The updates address these challenges by building in additional guidance and clarification on the intent of the requirements and ways to meet them. Additionally, the changes in PCI DSS and PA-DSS 3.0 focus on some of the most frequently seen threats and risks that precipitate incidents of cardholder-data compromise. Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment and business environment.”
BMT Micro has recently renewed it’s PCI compliance certificate. As we mentioned earlier, a PCI DSS compliance certification is required by card brands such as Visa, MasterCard and Discover. The certification needs to be renewed annually and achieve a passing score, which is based on a set of very stringent criteria. Any and all deviations from this criteria will not allow a merchant to obtain a passing score or to renew its compliance status. If you electronically store cardholder information or if your processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is also required. BMT Micro has partnered with SecurityMetrics, who performs quarterly reviews and ensures that we maintain PCI compliance and up-to-date data confidentiality standards. These scans are very important because if there is a break in any part of your transaction process and someone gets a hold of your customers’ information, you may be be held responsible.
If you are a vendor of BMT Micro, you are PCI compliant by default using our secure system and there is no need for you to acquire your own PCI Compliance certificate. BMT Micro adheres strictly to all PCI compliance regulations. We make sure our staff is educated and aware of all security protocols and regulations. The changes in PCI 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise. It is essential for eCommerce companies to protect their site, and more importantly, their customers’ sensitive information.
Payment processors, such as BMT Micro, can save you the time and expense necessary to keep fraud to a minimum and your customers’ information safe. BMT Micro’s state-of-the-art fraud detection system automatically screens orders and puts questionable orders through a manual approval process. All BMT Micro servers are fully secured and host all shopping carts using the highest encryption standard available, Extended Validation SSL. EV SSL certificates provide 256 bit encryption and enable the most visible security indicator – the green address bar – in high-security browsers. This assures customers that the shopping cart is secure and our identity has been authenticated to the industry’s highest standard. There is no need to worry about the expense of a secure certificate with BMT Micro! Our vendors are able to spend more time focusing on their business while we focus on keeping their customers’ information safe and secure. If you have any questions or if you are interested in learning more about BMT Micro’s offerings please contact our vendor services at vendors@bmtmicro.com.