Subscribe
Share
Share
Embed
Our flagship series will propel you to the forefront of the global ecommerce revolution. From analyses of breaking current events to the intricacies of navigating cross-border sales and regulations, Business over Borders entertains and informs any audience who wants to learn more about how international ecommerce works.
Welcome to Business Over Borders. I'm your host, Leo Tucker. And I'm joined today by Mike McGirr, our VP of Compliance. Welcome, Mike. We're here to talk about, something a little exciting, something a little terrifying, PCI compliance.
Leo Tucker:Now I learned today that PCI compliance, what it means is the payment card industry compliance. I'd always heard of it as PCI. What is that in broad terms?
Mike McGirr:Basically, to really secure cardholder data and to protect credit cards from being breached and used on the dark web or being sold on the dark web and being used fraudulently.
Leo Tucker:Okay. So, I mean, I remember back a number of years ago, there were these breaches all the time where so and so would have, you know, all the credit cards are bought and sold on the Internet and everything, and it was always breach this, breach that. So when that happened, I'm assuming there was some sort of PCI compliance, noncompliance rather. Is that kind of what's going on?
Mike McGirr:Yeah. It was really the breaches. You think of it in the early 2000s when a lot of these breaches were taking place. And back then, it was you know, we still have the cards with the track data where you can you you had to swipe the card versus having the chip and PIN these days. So people would be able to obtain that tracked data and just make brand new cards.
Mike McGirr:We evolved as an industry, so now we have chips and PIN. But it wasn't until 2004 when they introduced PCI at the beginning.
Leo Tucker:Oh, wow. That's pretty recent. 20 years.
Mike McGirr:20 years
Leo Tucker:I suppose so. I remember the old you know, you'd take your credit card into the place and they put it in and go like actually The knuckle buster. The knuckle buster. A big stack of carbon carbon copies there. I remember doing that at the airport when I used to work there.
Leo Tucker:Yep. Definitely. So that was back before the the
Mike McGirr:PCI days. Yeah. Yeah. Exactly. Yeah.
Mike McGirr:And it's, you know, early PCI is trying to, you know, look at how can cards be breached, right? How can we self regulate ourselves to reduce that scope? So overall, in PCI, there's, you know, basically 12 different requirements. All those requirements have multiple different items you need to do to secure that information. You have level 1 merchants or merchants that process over 6, 000, 000 transactions in a, in a year versus, like, level 2 or 3 or 4 merchants where, you know, a brand new merchant, they're doing less than 20, 000 transactions a year, they're still level 4 merchant, and they still have to be PCI compliant.
Mike McGirr:You know, they have to make sure they have the firewalls in place. They have to make sure they have the proper authentication, the cards encrypted throughout the whole life cycle of the transaction. Right. There's all these different factors that they need to do. But the main difference between a level 1 merchant and a level 4 merchant is, like, a level 1, you have to have an on-site audit.
Mike McGirr:You have to have somebody do a ROC, a report of compliance, and and they look and make sure that everything that you you say you're doing, you're actually doing. They test it and validate it and give you your AOC or your attestation of compliance.
Leo Tucker:And that's different from, like, a level 4?
Mike McGirr:Yeah. In level 4, you go through the process, and you're doing a self assessment. So, you know, sometimes they have almost like a turbo tax for PCI. Right? For some of these merchants, these vendors will, okay.
Mike McGirr:Answer these questions. Are you securing information? Do you have firewalls? Right. Do you have the training in place?
Mike McGirr:Do you have, you know, all the different factors that meet PCI compliance? So it won't
Leo Tucker:write your credit card numbers down on sticky
Mike McGirr:Here, yeah, you don't have all the card information Okay. Throughout the throughout the office. You have clean whiteboards everywhere, everything else. Yeah.
Leo Tucker:Okay. So that that's all based on kind of volume of transactions, I'm assuming, or just yearly revenue or something?
Mike McGirr:Yep. Just some amount of transactions you're processing just strictly on the card count.
Leo Tucker:Oh, it's interesting. Yep. So, I mean, how onerous is it, I suppose, for let's say I'm a new business. I'm, you know, I'm I'm selling tap shoes. That's that's my thing.
Leo Tucker:I sell tap shoes for this example, and I wanna open up my my, my storefront to sell tap shoes. You know, I'm only selling, you know, 100 a year, so I'm probably not up in the $6, 000, 000 mark, so I'd probably be around the level 4.
Mike McGirr:Yeah. I
Leo Tucker:mean, what are you know, what does BusinessMySide need to understand about PCI compliance?
Mike McGirr:It's really you wanna partner with companies that can offload that compliance or the the need to be PCI compliant. If you're using Acquire where in a checkout, if you're on online, that you're make sure that your vendors are PCI compliant. Mhmm. Right? So you can segregate the data and the information.
Mike McGirr:So your checkout page, everything, your your acquirer that you're using, all the vendors that touch cardholder data are PCA compliant, which will help reduce the scope, what you need to do as a as a business owner, as a small business guy selling top shoes.
Leo Tucker:Right. Right.
Mike McGirr:Right.
Leo Tucker:So if I've got my, you know, the people who touch that information down the line, I need to make sure that anyone I'm dealing with is also is equally or more PCI compliant than my business.
Mike McGirr:Yeah. I mean, if you look at all the large acquirers in the space, right, they have to be PCI compliant. They're touch and cover the data. They're transmitting the data from the issuing banks, from Visa, Mastercard, back to the merchants. So, they're involved with the entire lifecycle, right?
Mike McGirr:So, all those partners that'd be PCI compliant, but then it's, you know, who's touching the checkout page? A lot of the breaches that take place these days, people will put malware on the checkout page. And so as somebody types in their credit card information, it's just retrieved right there. It's pulled. It's saved.
Mike McGirr:And then minutes later, they can use the information. Oh, wow. So if you're, not checking your your checkout page or scanning so you have to do part of the requirements. You have to do it used to be quarterly scans. Mhmm.
Mike McGirr:Starting March of 2025, you have to start doing weekly scans. Weekly. On your checkout page. So that's the biggest threat, right? So, you know, it used to be the tracked data.
Mike McGirr:They wanted to make it and reproduce the cards. Now they're just saying, Hey, we can just go on this website. We can put the malware on there. Basically, script pulls off the information. There's nothing for them to do.
Mike McGirr:So now you're doing the weekly scans and making sure there hasn't been a new script added to that checkout page. Oh, interesting. So that's a big burden that's gonna be across the industry. And people are trying to figure out if I'm doing it quarterly now and I have to react to these scans. If I'm doing it weekly, what's that mean for for the business?
Mike McGirr:So it's something that's definitely needed. It makes sense, but logistics of how we move forward and do this would be interesting how that plays out.
Leo Tucker:Yeah. Without crippling the businesses while you're trying to protect them at the same time. Exactly. So, I mean, we were talking about breaches earlier. Tell us a little bit about your history and kinda what you've seen.
Leo Tucker:You've got a, you know, quite the background in compliance. So
Mike McGirr:I know I have too many gray hairs. Hairs. Right? Yeah. No.
Mike McGirr:Yeah. So I started back in 99, so I've been 25 years in the space. So when I first started there, like we were saying earlier, there wasn't really a PCI enforcement. Right? It was just people assume that they're doing what they're supposed to do to correct the protect the cardholder information.
Mike McGirr:Then these large breaches took place. You know, large retailers were getting fined, you know, 1, 000, 000 of dollars.
Leo Tucker:Now where are these fines being leveraged from? Who's issuing these funds?
Mike McGirr:Yeah. So typically, it's the card network. So Visa, Mastercard.
Leo Tucker:Okay.
Mike McGirr:They will find the acquirer that's processing for the merchant until the acquirer has the acquirer, and the acquirer passes the fine down to the merchant directly. And it's really the fines depend on what's compromised. If it's just cardholder information, like the card number, and there's no expiration date, there's no CVC, then the fine might be less. But if it back in the day, when it was tracked data, the full track 1, track 2, all the information was compromised, those fines were literally 1, 000, 000 of dollars.
Leo Tucker:Any stick out in your mind that were particularly large? Yeah. I mean,
Mike McGirr:I think it was 2017. British Airways, they were fined $229, 000, 000. What? I'm not a 100% positive, if it was just how much was related to the credit cards. But there were some clients, I don't think the Republic, but that I was specifically working with that were definitely fined over, you know, close to 2, $3, 000, 000.
Mike McGirr:But think about the once the breach takes place, then there's all the work that you need to do on the back end. So you have to have a forensic investigation. So you have to have, a hire a company to go on-site and say, okay, when did this intrusion take place? How did it take place?
Leo Tucker:Is it still taking place?
Mike McGirr:Is it still taking place? Is that threat gone? Has it been removed? Are they still on the system somehow? Right?
Mike McGirr:So, you not only have the fines for the from the breach itself, then you're paying, you know, tens and 1, 000 of dollars to have the forensic investigation, which is obviously impact on the business day to day operation. Right? Anytime you're taking away from the sales and growing the business and dealing with stuff like this, it's gonna be a huge impact on the IT staff, the CTO, and the developers and everybody else. Absolutely. So it's quite extensive, the forensic investigation.
Mike McGirr:And then they publish our usually, it's a 20, 30 page report of, like, here's how the here's how the intrusion took place. Here are our findings. This is when it was, fixed and, and and addressed. And here's a fallout. And based on this time frame, here's the amount of cards that were impacted.
Mike McGirr:Right? So we know it took place February 1st through in 20 21 through, you know, April 1, 2023.
Leo Tucker:Yeah.
Mike McGirr:This is how many cards were processed. So here's here's the cards that are at risk. And that's how the funds are being levered saying that Uh-huh. Here, we feel that these cards are at risk. Here's the data that was compromised.
Mike McGirr:Therefore, congratulations. Here's your prize.
Leo Tucker:Oh, boy. Now, I mean, the figures you dropped, the, you know, multi 1, 000, 000, 100 of 1, 000, 000 of dollars fines, obviously, those are for larger Yeah. Corporations. But, I mean, this is something that small and medium businesses need to be aware of.
Mike McGirr:Yeah. Definitely. Right? Even in a small small shop. Right?
Mike McGirr:Say you're you're only doing, like, $200, 000 a year in to a marginal payment of that size. Right? So I think now the they sort of cap the fines at, like, $500, 000 per incident. And if you have, like, 2 incidents, you know, those fines were to go up more. Right.
Mike McGirr:But they've capped them out at 500, 000. But even a small merchant, $50, 000 if you're doing $1, 000, 000 in sales, obviously, that's a big dent. Plus, the forensic investigation and all the other stuff you need to get done.
Leo Tucker:Yeah. That's a serious deal. So, you know, as a, you know, the proud proprietor of a tap shoe industry Here, it's I don't know. It's probably it's not something I would have thought of right out of the gate. Right.
Leo Tucker:You know, I go down to, you know, you know, local bank and get a little terminal to take payments and, you know, call up, you know, 1 of the acquirers to set up the online store, and I'm off off to the races. Yep. How do I learn as a small, medium business owner or looking to scale or looking to move into, you know, online space or something. Yep. How do those customers how do those merchants, those stores get more information on the PCI compliance?
Leo Tucker:Yeah. How do they get right? You mentioned partnering with, you know, companies that provide that service. Yeah. But what else is there to kinda get educated about it?
Mike McGirr:Yeah. I mean, there's PCI Council that's been created shortly after 2004 and early 2000s that's evolved. And they have sort of best practices, definitely tons of information on their website that you can, you know, absorb and and get the handle of. And then, like, looking to see who are the top QSAs, quality service assessors, that would go out and do that, on-site audit if you were to do it if you needed that, if you sort of graduated up from a level 4 merchant up to level 3 or 2, new merchant or level 1 with the on-site. But, yeah, definitely the PCI Council, that's website.
Mike McGirr:And, you know, if you just Googled the top QSAs, you have information on there. And then really, as you're looking at your provider, if you're to pick Stripe, Adyen, Jackout, all these large players that are out there, Chase, Paymentech, or whatever you use, they'll help educate you, too. They should have if they don't have a compliance program in place with PCI, then you probably shouldn't use them.
Leo Tucker:Right. Right. Right. Right. Not the big time guys are already doing that, so be wary.
Leo Tucker:Yep. So working at a payments company, I hear a lot of rumblings about some changes coming to the PCI world. I don't know any of the specifics. Can you sort of fill me in on what's happening or what has happened lately? What's what's new with PCI right now?
Mike McGirr:So it's always evolving. Right? It's always changing. They're looking at how these breaches take place and what can we do to be more proactive. Right?
Mike McGirr:So they were at, PCI at 3.2. Mhmm. Now going forward, their next year's PCI 4 0. Some of the biggest change in my mind is, like, the encryption of the cardholder cardholder data needs to be encrypted the whole entire life cycle.
Leo Tucker:Okay.
Mike McGirr:I think I mentioned before too the weekly scans, quarterly scans, the weekly scans.
Leo Tucker:So that's coming to life.
Mike McGirr:That's March March of this, March 2025. That's that's the requirement. I think it's requirement 6.4.3. The only reason, remember, is a double play. 644643.
Mike McGirr:Double play. Alright? If you have a system that you're using company portal, whatever
Leo Tucker:Like a CRM
Mike McGirr:or something. CRM that's not touching cardholder data, that system is not part of the PCI scope. So that's why another thing companies can do is as they're building their infrastructure from an IT point of view is make sure they reduce that scope for PCI. Right? So it doesn't need to be involved with that transaction lifecycle.
Mike McGirr:It doesn't need to go from their checkout page into their data set, and they can leave that out. Leave that out. Right? Do whatever you can to minimize, vulnerabilities that your company might have.
Leo Tucker:So it's only touching, ideally, a small sub 6 adjusted payment information lives there. We don't have, you know, contracts or, you know, customer information unrelated there.
Mike McGirr:Okay. And you never store information. You never have cardholder, like, pan data on your systems whatsoever. You don't store the CBC. You never want to store that.
Mike McGirr:So there's definitely best practices that you want to do to reduce that overall scope and vulnerabilities and financial sort of reputation risk that you might have as a company.
Leo Tucker:That's good information. That's all coming March of next year.
Mike McGirr:Yeah. March 2025. Rolling out. It's coming in hot. And then they'll evolve after that, I'm sure.
Leo Tucker:Oh, yeah. Thanks for joining us on, Business Over Borders. I'm Leo Tucker. And if you like this content, feel free to like and subscribe. And if you wanna hear about more coming from us, hit that little bell down there.
Leo Tucker:Thanks, everybody.
Voice Over:Brought to you by the reach network. Visit withreach.com/network for more.