As cybersecurity becomes more important, businesses accepting credit or debit card payments must do all they can to be PCI compliant.

Since top credit card companies created the Payment Card Industry Security Standards Council (PCI-SSC) in 2006, the concept of PCI compliance has grown in importance as businesses battle rising cybersecurity threats. 

‍

The growing emphasis on PCI compliance is a recognition of the fact that cybersecurity remains the most important factor that will either enhance or hinder the digital payments revolution. 

‍

A cyber attack takes place every 39 seconds and there are more than 800,000 cyber attacks every year, according to data curated by Astra Security, a cybersecurity firm. Furthermore, the global economy was estimated to have lost a whopping $8 trillion to cyber attacks in 2022, according to Evolve Security.

‍

In a bid to protect consumers, PCI compliance standards require that businesses who collect credit or debit card payments implement certain security measures and conform to certain requirements. 

‍

Implementing the standards demanded by PCI-SSC is not easy for businesses, especially the small ones, who might find it difficult understanding what the standards are all about and/or how to execute them. 

‍

In what follows, we will explain in easy-to-understand terms what PCI compliance is all about and what small businesses can do to be PCI compliant. We’ll cover the following: 

‍

1. What is PCI compliance and how does it work?
2. What are the PCI compliance requirements?
3. Making use of PCI compliance checklist and questionnaire
4. How to achieve PCI compliance

‍

[Do you want to accept payments in Kuwait in the most convenient way possible while staying compliant with Kuwait’s payment standards? Sign up for Kem for instant, P2P, and contactless payments.]

‍

1. What is PCI compliance and how does it work?

Simply put, PCI compliance means that a business processing credit or debit card transactions has adhered to the requirements and standards, also known as PCI-DSS (payment card industry data security standards), set by the PCI-SSC. 

‍

Enforcement of PCI compliance

However, while the PCI-SSC sets the standards, they are not the ones who enforce the standards on businesses. In between the PCI-SSC and the businesses accepting card payments are at least two other stakeholders: 

• Card networks: Visa, MasterCard, and other card networks are responsible for translating the standards set by PCI-SSC into requirements for participating in their networks. 

‍

They do this by setting validation requirements that depend on the category level that a merchant falls into. 

• Payment service providers or merchant service providers: PSPs (also called credit card processors) and MSPs are the ones who then translate these standards to the merchants that accept credit and debit card payments. 

‍

PSPs and MSPs do this by including these standards in the terms and conditions they impose on businesses who want to work with them. Since these businesses cannot collect card payments without either of these platforms, they need to conform to these terms and conditions (which are expressions of the original PCI-SSC standards). 

‍

Category levels for PCI compliance 

Since merchants vary by the volume of transactions they perform, the level of compliance required also varies. Card networks typically divide compliance levels into 4 (Level 1-4), with Level 1 being the most rigorous. 

‍

For Visa and MasterCard (two most popular credit card brands in the world), the division is as follows: 

• Level 1: Merchants that process more than 6 million Visa transactions per year across all channels. Also includes those designated as global merchants. 

‍

• Level 2: Merchants processing between 1 million and 6 million transactions per year across all channels. 

‍

• Level 3: Merchants processing between 20,000 and 1 million ecommerce transactions per year. 

‍

• Level 4: Merchants processing less than 20,000 ecommerce transactions and those processing up to 1 million total transactions per year across all channels. 

‍

Source: Accountable HQ

‍

Validation requirements for those belonging to Level 2-4 consist of: 

• An annual self-assessment questionnaire (more on this below)
• Quarterly network or vulnerability scan by an Approved Scan Vendor (ASV)
• Attestation of compliance form.

‍

However, for those in Level 1, self-assessment is not permitted. Instead, there must be an annual  Report on Compliance (“ROC”) which will be done by a Qualified Security Assessor (“QSA”) or internal auditor. 

‍

These validation requirements show that PCI-DSS compliance is not a one-off issue; assessment and remediation must happen yearly for merchants to maintain a compliant status.  

‍

Consequences of non-compliance

There is no regulatory mandate for PCI compliance that will make it a legal requirement imposed by the government; therefore, non compliance in itself is not illegal. 

‍

However, as we have seen, non compliance can prevent a merchant from being accepted by a payment service provider or a merchant service provider. 

‍

Furthermore, merchants that are non-compliant can be fined by card networks. “Regulatory bodies take data security very seriously, and non-compliance can result in substantial fines, far outweighing the investment needed to achieve and uphold it,” according to Easy Llama, a firm training organizations on how to create safe workplaces.  

‍

Also, “non-compliance can expose businesses to legal liabilities, particularly if a data breach results in the theft of sensitive customer data. The aftermath of such incidents may lead to lawsuits from affected customers and other parties seeking compensation for damages incurred.”

‍

Furthermore, security breaches that result in losses for customers can lead to a loss of customer’s trust and bad PR. 

‍

In essence, while non-compliance is in itself not illegal, it can result in substantial legal liabilities and business loss when customers' debit or credit card information is stolen while they are trying to pay you. 

‍

2. What are the PCI compliance requirements?

We have talked a lot about PCI-DSS, but what exactly are these standards? 

‍

Below are the 12 requirements identified by the PCI-SSC: 

1. Install and maintain a firewall configuration to protect cardholder data: The first step towards protecting cardholders is to set up a firewall that will ensure a secure network and protect against suspicious network traffic. 

2. Do not use vendor-supplied defaults for system passwords and other security parameters: New operating systems do come with placeholder usernames and passwords that are easy to guess. PCI-SSC requires that businesses ditch those default usernames and passwords. It also requires deleting any unnecessary default accounts before installing a new system.  

3. Protect stored cardholder data: Businesses must decide what data they need to store and for how long. For those they decide to store, they must ensure they are encrypted or tokenized. Merchants must also have data disposal policies while limiting data retention to those required for legal, regulatory, and business purposes. 

4. Encrypt transmission of cardholder data across open, public networks: Merchants must use very strong cryptography and security protocols to protect encrypted data during authentication and transmission across open and public networks. 

5. Use and regularly update anti-virus software or programs: Every system used by every employee that has any connection with customers’ sensitive data (especially primary account numbers) must have strong and up-to-date antivirus that can protect against various kinds of malwares. 

6. Develop and maintain secure systems and applications: Merchants must have a vulnerability management program which involves conducting risk assessment to identify any security vulnerabilities in any of their systems and applications, including operating systems, application software, point-of-sale (POS) terminals, credit card processing terminals, among others. They must also rank the risk involved in any of the vulnerabilities so as to know where priority efforts should be directed.  

‍

Source: ADKtechs

‍

7. Restrict access to cardholder data by business need to know: Merchants must have strong access control measures that ensure cardholder information is only accessible to those whose jobs require such access. There must be a list showing all the users  who can access cardholder data and for what. 

8. Assign a unique ID to each person with computer access:. Instead of shared usernames and passwords, each user must have a unique ID with which access to the merchant’s system components can be authenticated. 

9. Restrict physical access to cardholder data: Just like digital access should be limited only to users who need to know, sensitive devices, systems, and business areas must be physically restricted to those who need to use and visit them. 

‍

CCTV cameras can be installed in those business areas and/or entry and exit can be electronically controlled so that only those with prior permission can access them. 

10. Track and monitor all access to network resources and cardholder data: There must be an audit trail that links every system access to users. Logs must be reviewed regularly for any suspicious activities. 

11. Regularly test security systems and processes: Just as hackers are always active, looking for vulnerabilities in systems, merchants must also continuously test their security systems and processes so that vulnerabilities can be quickly identified and corrected. 

Internal and external penetration testing must also be executed annually. 

Also,  merchants must use testing to validate any segmentation and scope-reduction controls. 

12. Maintain a policy that addresses information security for all personnel: There must be an information security policy document that educates all employees on how they should handle every system they interact with. This must be done at least once every year. 

‍

3. Making use of PCI compliance checklist and questionnaire

While these 12 requirements are very clear on what merchants need to put in place, implementing them can be difficult.

Self-assessment questionnaires

Card networks have made this easier by providing self-assessment questionnaires (SAV) which serves as a PCI-DSS compliance checklist that merchants can use to assess how well they are doing. 

‍

At the moment, there are 9 different types of SAVs. The one a merchant will use depend on the type of payments they collect: 

1. SAQ A: This is for organizations that process “card not present” transactions – that is, the physical card is not present. It applies to card transactions processed through ecommerce, mail, and telephone order. 

‍

SAQ A is also used by organizations that have outsourced all cardholder functions (storing, processing, transmission) to a PCI-DSS compliant third party. 

2. SAQ A-EP: This is the questionnaire for a merchant that has outsourced all payment processing and whose website does not even directly accept payment data. 

3. SAQ B:  SAQ B is the questionnaire for merchants that process cardholder data only through imprint machines or standalone, dial-out terminals. That is, they do not store account data on any computer system. 

‍

They can be brick-and-mortar stores or mail and telephone order merchants, but not ecommerce merchants.  

4. SAQ B-IP: Used by merchants that only process cardholder data through IP-connected PTS-approved payment terminals. (No electronic storage of cardholder data.) 

5. SAQ C-VT: These merchants  only process cardholder data through isolated virtual payment terminals on an internet-connected PC. 

6. SAQ C: Their payments application systems are connected to the internet but do not store cardholder data electronically. 

7. SAQ P2PE-HW: This is for merchants who process cardholder data with point-to-point encryption (P2PE) devices but with no electronic card data storage.

8. SAQ D (For Merchants): For any other merchant not yet described by the preceding SAVs.  

9. SAQ D (For Service Providers): This is for a service provider who has been described by a payment brand as SAQ-eligible. 

‍

For an example of how these questionnaires help businesses better implement the 12 requirements, consider the following pages from SAQ A: 

‍

‍

The first column contains the 12 PCI-DSS requirements with each one divided into its component parts. For each component part, the second column shows the step(s) that the merchant needs to take to ensure compliance. 

‍

On the last column, the merchant can check whether the requirement is in place, not in place, not applicable or in place with CCW (the requirement has been met with the assistance of a compensating control – used when certain constraints made it necessary to use an alternative control instead of the original control required).   

‍

4. How to achieve PCI compliance in Kuwait

So, how can you as a small business achieve PCI-DSS compliance? 

‍

The first step is to identify which level you belong to by evaluating the number of card transactions you complete in a year. 

‍

After that, you must choose the SAQ that applies to you based on the type of card payments you collect.

‍

Thirdly, you must review all the 12 requirements and start using the applicable SAQ to identify the steps you need to take to comply. 

‍

At this stage, you must decide if you have the capacity to comply all by yourself or you need some third-party agent to assist. There are Qualified Security Assessors that can help you design and implement security controls that will meet PCI security requirements. 

‍

Fourth, you will need to do a quarterly network scan with one of the Approved Scaning Vendors provided by PCC-SSC. 

‍

It is worth noting that PCI compliance is easier if you are working with a PSP instead of a MSP. In addition to removing the need for you to have your own merchant account, PSPs also take charge of the implementation of some of the compliance requirements leaving you with much less to do.

‍

Make compliance easier in Kuwait by using Kem

Another way to make compliance easier, as a small business, is to work with P2P online payment platforms like Kem that support C2B (customer to business) payments. 

‍

With Kem, your customers will pay you by transferring money from their wallet to yours or by scanning your QR code both online and offline. 

‍

Since Kem handles the processing of money from customers’ credit and debit cards to their wallets, the responsibility for PCI compliance lies with them and not you (since you don’t store customers’ credit or debit card data). All you need do is meet any terms and conditions Kem requires for you to operate an account with them. 

‍

And Kem has embraced that responsibility by being PCI-DSS Level 1 (the most rigorous) compliant. This means that it can safely process credit and debit card payments through its platform. 

‍

Similarly, inter-wallet transfers across its platform are safe because Kem uses cutting-edge encryption and fraud detection technology powered by AI to make sure your data and money is safe and secure. All in all, Kem provides a secure payment system that SMEs in Kuwait can use. 

‍

If you are a small business who doesn’t have the capacity to set up your own payment infrastructure and meet the necessary compliance requirements, you can get started by working with Kem. 

‍

[Are you a small business in Kuwait that wants to easily accept payments from your customers while remaining PCI compliant? Sign up for Kem for convenient P2P, instant, and contactless payment.]

‍

Takeaways

• Given the importance of cybersecurity, PCI compliance is essential for small businesses accepting credit or debit card payments from customers. 
• There are 12 requirements that businesses must meet to be PCI compliant and the rigor of compliance depends on how many card transactions are done in a year. 
• The PCI Security Standards Council provides self assessment questionnaires that Level 2-4 businesses can use as checklists to conform to the 12 requirements. 
• Small businesses can make PCI compliance easier by working with PSPs instead of MSPs or by choosing P2P platforms.