The payment card industry data security standards (PCI DSS) were established by the PCI Security Standards Council (SSC) to protect cardholder data. Every merchant who accepts card transactions must adhere to these standards in order to do business with the credit card companies, banks and payment processors.
In the event that a merchant's system is breached or hacked and sensitive information is stolen, they may be held liable and may be subject to:
- Fines from the card associations.
- Forensic investigation.
- Issuing banks recouping re-issuing costs (including possible fraud loss and fraud monitoring expenses).
- Litigation.
- Government fines.
Some well-known businesses have suffered highly publicized breaches which have also resulted in damage to their reputations and brands. If you are PCI-compliant, it is far less likely that you will suffer a breach and far less likely that such a breach would result in sensitive information being stolen, as you won't have any to steal.
All of the hardware and software that Lightspeed Payments provides you with is PCI compliant, however there are certain steps you'll need to take to make sure you are handling sensitive card information responsibly.
Handling sensitive card information
While card information must be captured to authorize a transaction, sensitive card information must not be stored after authorization has taken place. Certain information may be stored if there is a valid business reason to do so, such as the cardholder's name or the card's expiration date. However, card information that is considered sensitive can never be stored. The one exception to this rule is the primary account number (PAN) on the front of the card, which may only be stored if it is rendered unreadable. This is why you are only able to view the last 4 digits of a credit card number in Lightspeed - the rest has been rendered unreadable.
The following information on a credit card is considered sensitive information:
- Credit card number (PAN). This number may be stored as long as it is unreadable. Usually only the last 4 digits are viewable when this number is stored.
- Expiry date. May be stored if there is a valid business reason to do so.
- Cardholder name. May be stored if there is a valid business reason to do so.
- CVV2. This number may never be stored.
Guidelines for working with sensitive information
If you must work with sensitive card information, there are steps you can take to minimize risk:
- Never send unprotected card numbers (PANs) via messaging technologies such as e-mail, instant messaging, chat, SMS etc.
- Implement access control measures such as physical locks or passwords to restrict access to those who absolutely require it.
- Assign a unique identification (ID) to each person with access to ensure actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
- Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution, including periodic inspections of POS device surfaces to detect tampering, and training personnel to be aware of suspicious activity.
- Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
- Screen potential personnel prior to hiring to minimize the risk of attacks from internal sources. Recommended screening includes checking their previous employment history, criminal record, credit history, and references.
How Lightspeed helps you maintain PCI compliance
Lightspeed takes PCI-compliance seriously and takes rigorous steps to maintain compliance with PCI DSS. Our technical approach to security is designed to protect both you and your customers.
- We provide only PCI-compliant hardware and software and maintain a PCI-compliant platform.
- Lightspeed is the merchant on record for every transaction. We deal with the banks on your behalf.
- We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization.
- Lightspeed’s integrated payment system provides end-to-end encryption for every transaction at the point of sale and tokenizes data the second it reaches our servers.
The world of PCI DSS is always evolving, and changes in the requirements can happen from time to time. Lightspeed Payments will stay on top of any changes, keeping an eye on the industry so you don't have to.
Maintaining PCI-compliance can involve undergoing regular assessments and the filing of documents over the course of a year, as well as being aware of and keeping up with changes in the industry. Lightspeed takes care of all of that for you, but if you're curious to know more about what that entails, we've provided a brief overview below:
PCI compliance levels
The first step in becoming PCI-compliant is identifying which level of standards you are required to meet. There are four levels, but the thresholds for falling under a particular level can vary from one card provider to another.
The levels and thresholds for the four major card companies are as follows:
Visa
Level 1
- Process 6 million+ Visa transactions per year.
- Had data compromised by a security breach.
- Determined to be Level 1 by Visa.
Level 2
- Process 1 to 6 million Visa transactions per year.
Level 3
- Process 20,000 to 1 million Visa e-commerce transactions per year.
Level 4
- Process less than 20,000 Visa e-commerce transactions per year.
- Process up to 1 million Visa transactions per year.
Mastercard
Level 1
- Process 6 million+ Mastercard transactions per year.
- Had data compromised by a security breach.
- Determined to be Level 1 by Mastercard.
- Meets the level 1 criteria of Visa.
Level 2
- Process 1 to 6 million Mastercard transactions per year.
- Meets the level 2 criteria of Visa.
Level 3
- Process 20,000 to 1 million Mastercard e-commerce transactions per year.
- Meets the level 3 criteria of Visa.
Level 4
- All other merchants.
AMEX
Level 1
- Process 2.5 million+ AMEX transactions per year.
- Determined to be Level 1 by AMEX.
Level 2
- Process 50,000 to 2.5 million AMEX transactions per year.
Level 3
- Process less than 50,000 AMEX transactions per year.
Level 4
N/A
Discover
Level 1
- Process 6 million+ Discover transactions per year.
- Considered Level 1 by another brand or acquirer.
- Determined to be Level 1 by Discover.
Level 2
- Process 1 to 6 million Discover transactions per year.
Level 3
- All other merchants.
Level 4
N/A
PCI compliance requirements
Once you've identified the level you fall under, you can determine your requirements for PCI compliance.
Merchants who fall under levels 2, 3, and 4 are required to complete an annual self-assessment questionnaire (SAQ). The SAQ consists of a series of yes or no questions covering the security requirements for your business. Since different kinds of businesses have different requirements, there are several variations of the SAQ.
Refer below to determine which questionnaire is applicable to your business depending on how you accept credit cards:
Questionnaire A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Not applicable to face-to-face channels.
Questionnaire A-EP
E-commerce merchants who outsource all payment processing to PCI DSS validated third-parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
Questionnaire B
Merchants using only:
- Imprint machines with no electronic cardholder data storage; and/or
- Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire B-IP
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire C-VT
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire C
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire P2PE-HW
Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
Questionnaire D
All merchants not included in descriptions for the previous types.
Lightspeed Payments and hardware compliance
Lightspeed Payments adheres to Level 1 PCI-compliance requirements. This involves filing annual reports on compliance (ROCs) and attestations of compliance (AOCs) and conducting quarterly network vulnerability scans conducted by an approved scanning vendor (ASV), among other potential requirements.
All of the hardware and software that Lightspeed Payments provides you with is PCI compliant and there are certain steps you'll need to take to make sure you are handling sensitive card information responsibly.
PCI DSS requirements
As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority. The Payment Card Industry Data Security Standards (PCI DSS) are essential for protecting consumers against identity theft and credit card fraud.
The PCI compliance framework is a set of standards implemented by the consortium of major credit card companies to ensure all merchants process, store, and transmit data securely. It also requires you to submit annual assessments or reports attesting to your security controls.
If you use a third-party payment processor, you will have to contact that processor to discuss your PCI-compliance.
You can learn more about PCI DSS from the PCI Security Standards Council, and review the specific requirements for each of the major credit card companies on their websites: