Securing credit card information is critical to your business. Your customers rely on you to protect their data from theft or fraud, and each transaction processed must comply with industry standards to protect you and your customers.
What is PCI Compliance?
The payment card industry data security standards (PCI DSS) were established by the PCI Security Standards Council (SSC) to protect cardholder data. Every merchant who accepts card transactions must adhere to these standards to do business with credit card companies, banks, and payment processors.
Why is PCI Compliance important?
If a merchant's system is breached and sensitive information is stolen, they may be held liable and may be subject to:
- Fines from the card associations.
- Forensic investigation.
- Issuing banks recouping re-issuing costs (including possible fraud loss and fraud monitoring expenses).
- Litigation.
- Government fines.
Well-known businesses that have suffered breaches have additionally encountered long-lasting damage to their reputation, leading to reduced revenue and consumer trust.
PCI compliance helps to protect you against such attacks, and ensures that in the event of a security breach, you and your business are protected. If your business is PCI-compliant, it is far less likely that you will suffer a security breach and even less likely that such a breach would result in sensitive information being stolen.
Maintaining PCI compliance
All of the hardware and software that Lightspeed Payments provides you with is PCI compliant, however, there are certain steps you'll need to take to make sure you are handling sensitive information responsibly.
While data must be captured when a payment is taken, that information must be stored and encrypted in a way that is PCI-compliant. As a merchant, you cannot store sensitive cardholder data in any unencrypted format. This includes saving credit card numbers to customer account profiles or storing credit card information in a physical location, such as a notepad or sticky note.
Understanding what counts as sensitive information
Data Type | Definition |
Account Data | All the data that can be found on a credit card. This is broken down into Card Holder Data and Sensitive Account Data. |
Cardholder Data |
Cardholder data (CHD) includes the 16-digit PAN, expiration date, and cardholder name. This data is extremely valuable to attackers for use in fraudulent transactions over both card-present and card-not-present transactions. As a merchant, you can save the expiration date and cardholder name if you have a legitimate business need to do so. The card number should never be saved in an unencrypted format. |
Sensitive Authentication Data | Sensitive Account Data (SAD) includes the sensitive track data held by the magnetic stripe, CVV, PIN, and PIN Block. This data can never be stored after authorization, even if it has been encrypted. |
The following information on a credit card is considered sensitive information:
- Credit card number (PAN): This number may be stored as long as it has been encrypted. Usually only the last 4 digits are viewable when this number is stored.
- Expiration date: These numbers may be stored if there is a valid business reason to do so.
- Cardholder name: Customer names may be stored if there is a valid business reason to do so.
- CVV2: This number may never be stored.
Guidelines for working with sensitive information
If you must work with sensitive card information, there are steps you can take to minimize the risk of a security breach.
- Never send unprotected card numbers (PANs) via messaging technologies such as e-mail, instant messaging, chat, SMS etc.
- Implement access control measures such as physical locks or passwords to restrict access to those who absolutely require it.
- Assign a unique identification (ID) to each person with access to ensure actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
- Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution, including periodic inspections of POS device surfaces to detect tampering, and training personnel to be aware of suspicious activity.
- Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
- Screen potential personnel prior to hiring to minimize the risk of attacks from internal sources. Recommended screening includes checking their previous employment history, criminal record, credit history, and references.
How Lightspeed helps you maintain PCI compliance
Lightspeed takes PCI-compliance seriously and takes rigorous steps to maintain compliance with PCI DSS. Our technical approach to security is designed to protect both you and your customers.
- We provide only PCI-compliant hardware and software and maintain a PCI-compliant platform.
- Lightspeed is the merchant on record for every transaction. We deal with the banks on your behalf.
- We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization.
- Lightspeed’s integrated payment system provides end-to-end encryption for every transaction at the point of sale and encrypts data the second it reaches our servers.
Additionally, when you first sign up with Lightspeed Payments, you are provided with the option to enroll with Viking Cloud, our partner in maintaining PCI compliance. This service is completely free of charge for all Lightspeed Payments users.
Maintaining PCI-compliance can involve undergoing regular assessments and the filing of documents over the course of a year, as well as being aware of and keeping up with changes in the industry. Lightspeed takes care of all of that for you, but if you're curious to know more about what that entails, we've provided a brief overview below:
- PCI compliance levels
PCI compliance levels
The first step in becoming PCI-compliant is identifying which level of standards you are required to meet. There are four levels, but the thresholds for falling under a particular level can vary from one card provider to another. The levels and thresholds for the four major card companies are as follows for merchants that:
Level Visa Mastercard AMEX Discover L1 - Process 6 million+ Visa transactions per year.
- Had data compromised by a security breach.
- Determined to be Level 1 by Visa.
- Process 6 million+ Mastercard transactions per year.
- Had data compromised by a security breach.
- Determined to be Level 1 by Mastercard.
- Meets the level 1 criteria of Visa.
- Process 2.5 million+ AMEX transactions per year.
- Determined to be Level 1 by AMEX.
- Process 6 million+ Discover transactions per year.
- Considered Level 1 by another brand or acquirer.
- Determined to be Level 1 by Discover.
L2 - Process 1 to 6 million Visa transactions per year.
- Process 1 to 6 million Mastercard transactions per year.
- Meets the level 2 criteria of Visa.
- Process 50,000 to 2.5 million AMEX transactions per year.
- Process 1 to 6 million Discover transactions per year.
L3 - Process 20,000 to 1 million Visa e-commerce transactions per year.
- Process 20,000 to 1 million Mastercard e-commerce transactions per year.
- Meets the level 3 criteria of Visa.
- Process less than 50,000 AMEX transactions per year.
- All other merchants.
L4 - Process less than 20,000 Visa e-commerce transactions per year.
- Process up to 1 million Visa transactions per year.
- All other merchants.
N/A N/A - PCI compliance requirements
PCI compliance requirements
Once you've identified the level you fall under, you can determine your requirements for PCI compliance.
Merchants who fall under levels 2, 3, and 4 are required to complete an annual self-assessment questionnaire (SAQ). The SAQ consists of a series of yes or no questions covering the security requirements for your business. Since different kinds of businesses have different requirements, there are several variations of the SAQ.
Refer to the following table to determine which questionnaire is applicable to your business:
Questionnaire How do you accept credit cards? Note A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third-parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels. B Merchants using only: - Imprint machines with no electronic cardholder data storage; and/or
- Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels. B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. D All merchants not included in descriptions for the above types. - Lightspeed Payments and hardware compliance
Lightspeed Payments and hardware compliance
Lightspeed Payments adheres to Level 1 PCI-compliance requirements. This involves filing annual reports on compliance (ROCs) and attestations of compliance (AOCs) and conducting quarterly network vulnerability scans conducted by an approved scanning vendor (ASV), among other potential requirements.
All of the hardware and software that Lightspeed Payments provides you with is PCI compliant and there are certain steps you'll need to take to make sure you are handling sensitive card information responsibly.
- PCI DSS requirements
PCI DSS requirements
As a business that accepts credit cards, you will be required to complete a PCI DSS Self-Assessment Questionnaire (SAQ) to demonstrate that information security is a top priority. The Payment Card Industry Data Security Standards (PCI DSS) are essential for protecting consumers against identity theft and credit card fraud.
The PCI compliance framework is a set of standards implemented by the consortium of major credit card companies to ensure all merchants process, store, and transmit data securely. It also requires you to submit annual assessments or reports attesting to your security controls.
If you use a third-party payment processor, you will have to contact that processor to discuss your PCI-compliance.
You can learn more about PCI DSS from the PCI Security Standards Council, and review the specific requirements for each of the major credit card companies on their websites: