Read our interview with Fresh Compliance, experts on the GDPR.
PCI (also referred to as PCI-DSS) means payment card industry data security standard and represents a set of rules in the field of payment transactions. This regulation refers to the process of credit card transactions. It is supported by the important credit card organizations and observed for customer safety. Service providers and merchants using credit card transactions must adhere to the PCI standard. If this is not the case, penal charges and restrictions can be imposed, which may lead to the prohibition of the acceptance of credit cards. The set of rules includes twelve requirements that companies must meet.
Retailers are required to regularly prove that they are compliant with PCI standards. Depending on their level of compliance, retailers must fulfill certain standards and prove their conformity yearly.
The PCI standards according to credit card organizations must be observed by all businesses who accept, process, save and forward the credit card information of customers. Credit card information is independent of processing time and includes information such as the card number and date of expiration.
Since July 1, 2015, it is mandatory to adhere to PCI DSS Requirement 9.9 to maintain PCI DSS Compliance status. If the POS devices are not protected, the dealer runs the risk of not being able to offer any card payments.
The requirement 9.9 deals with the physical security of the cardholder data and the prevention of criminal attacks. Crime involving cardholder data are not solely committed by hackers. The physical theft of hardware that includes this data and criminal manipulations also play a role. In this case, the subpoint "Protect card-reading devices and terminals, used to capture cardholder data" applies. All merchants using POS devices and POS terminals to accept card payments must comply with the latest PCI DSS regulations (currently PCI DSS 3.2, published in April 2016).
From the first use, the physical security of the card readers must be checked continuously. When working with a single device, this is a straightforward task. However, when working with many devices, ongoing monitoring is essential to ensure the safety efficiently. The exact location of the terminal, as well as all important information about the device (e.g. model, serial number or other device-specific details) must be noted. If changes occur, for example the location, they should be noted immediately.
Regular inspections can prevent manipulations and substitutions. For this purpose, the specific control mechanisms for the devices must be precisely defined and documented. However, PCI DSS 9.9 does not specify the frequency of the checks. This is in the hands of the dealer and depends on the risk profile of the respective devices. The risk profile is made up of the type of device, location and monitoring. The dealer is sole responsible for the test frequency.
All employees should be trained to effectively examine card readers for substitution or manipulation. In principle, the company should be prepared for all eventualities. Criminals can use counterfeit devices that are specially designed for data theft to companies, or they can even present themselves as authorized maintenance personnel, thus reaching the sensitive data. It is therefore important to build a strong sense of security through regular staff training. These training sessions should be recorded and logged by the company.
Get your free quote in only 3 simple steps!