Top 5 Questions Asked by Business Leaders
Question 1: Why does my organization need to be PCI compliant?
Your organization needs to be PCI compliant to ensure that your customer’s data security is not at risk. You absolutely need to protect your brand from getting tarnished by an intrusion that exposes your customers’ data.
The fact is, a cardholder data breach would cost you and your business a ton of money! The famous 2013 Target data breach cost that business nearly 300 million USD.
Additionally, your company can face fines from card brands Visa and Mastercard if you don’t comply with PCI and DSS requirements. The government can also sue you for damages.
In short, you should be PCI compliant because it protects both your organization and your customers.
Question 2: Is Salesforce PCI compliant?
Yes. As of January 2021, Salesforce is PCI certified. Salesforce keeps an updated list of which of their clouds have what certifications on their Trust site. You can always check back there for the latest on PCI compliance.
As of this article’s publication, all of these Clouds are listed on Salesforce’s PCI certified list.
- B2B Commerce
- Einstein Analytics
- Government Cloud
- Salesforce Platform Cloud
- Experience Cloud (portal or communities)
- Sales Cloud
- Service Cloud
Question 3: How does my organization become PCI certified?
Your company needs to complete the PCI assessment and then submit your assessment to the PCI security standards council. There are 12 PCI certification standards that your organization must follow, namely ensuring a secure network, building security controls, and implementing measures to manage data vulnerability.
The board will review your assessment and determine if your company’s data security process meets its standards. The certification process is quite detailed.
Question 4: What are the levels of PCI certification?
You may have heard someone say their business is “PCI-DSS level 1 compliant.” Which likely made you ask, what are the different PCI levels and what do they mean?
There are 4 levels, and each is based on the number of card transactions your organization processes each year.
Many US businesses fall into PCI Level 4, any organization that takes between 1 and 20,000 card transactions per year. Another way to think about it is less than 1,667 transactions per month.
PCI Level 3 is for those organizations that process between 20,000 and 1 million transactions per year. Level 2 is 1 to 6 million transactions per year. Level 1 is over 6 million transactions per year.
Question 5: Which attestation form — or SAQ — should Salesforce customers use?
That is a more nuanced question—your PCI level ties to the type of attestations you can use to have your compliance certified.
If you are processing payments solely from Salesforce and you are a Level 4, then it is likely that an SAQ-C is a safe bet. If you want to achieve PCI compliance, the best thing to do is seek the advice of a qualified-security-assessor or QSA who can give you their professional opinion.
Bonus: The PCI Compliance Golden Rule
Please keep in mind that no organization can absolve or take away another organization’s PCI scope entirely. Many companies like Salesforce and Chargent can help you reduce your PCI scope. However, if you take credit cards, you will always have some level of PCI compliance burden.
The best rule of thumb is: “Hear no card, See no card, Touch no card.” That doesn’t mean you can’t take credit cards. This rule means that offering methods for the customer to enter their information themselves works in everyone’s favor, protecting cardholder data. Use this golden rule as your overarching strategy to minimize your company’s PCI burden.
For more information from the PCI Security Standards Council, read their guidelines for PCI best practices.
Chargent Tools for Secure Payments
Using Chargent to process Salesforce payments gives your teams the tools to maintain compliance while giving a better experience for your customers. Customers can self-serve through payment request links sent by your team, keeping card information private. Cardholder data is not stored on your servers, but is processed securely by your payment gateway and payment processor. Many of these tasks can be automated through Chargent, letting your team be more efficient.
Top Security Standards
Today, your company’s security standards are more important than ever. Securing your customer’s credit card data protects them and your company from potential disaster. Chargent for Salesforce helps reduce your PCI scope with 30+ direct payment gateways. Take online payments, send Payment Requests, or manage recurring billing knowing that your customer’s data is more secure. Keep all point of sale payment transactions in Salesforce by using the Chargent Terminal. Install our 30-day free trial to experience how Chargent can make your payments safer, faster and more compliant.