What is PCI compliance? A Payment Card Industry Data Security Standard (PCI DSS) guide

It would take almost ten years for the world to recognise that, as the internet was evolving in the late 1990s, so was online payment fraud. 

Consequentially, credit card industry leaders developed a set of payment security standards. In December 2004, American Express, Discover Financial Services, JCB International, Mastercard, and Visa teamed up to introduce PCI DSS 1.0 .   

Fast forward to today, and card fraudsters and network hackers have to contend with advanced PCI DSS version 4.0

Don't allow your business to become complacent, though. Even industry-leading POS systems are still at risk of a card data security breach, so it's best to use precaution and become PCI compliant. In late 2020, Forbes reported on two payment terminal manufacturing giants who unintentionally made hacking customer credit card data easier.

These days an independent body—created by the founding members of PCI DSS, (namely, the PCI Security Standards Council (PCI SSC))—manage and administer PCI DSS. In this quick read, we'll explore the definition of PCI, business benefits, implications when not adhered to, and how staying compliant can build customer confidence.



What is PCI DSS compliance? 

Payment Card Industry Data Security Standard, or PCI DSS, is a data security standard which protects transactions made with cash, or branded debit and credit cards from the major providers. 

How does PCI DSS protect my customers?

It protects purchasers against misuse of their payment and personal information. Complying with PCI DSS is also likely to build trust in the relationships between you and your customers, as they're aware that your business is conforming to a globally recognised information security standard. By doing so, their data is less likely to be breached.

Data breaches risk heavy penalties under the Regulation: up to €20 million or 4% of annual global turnover – whichever is greater.

IT Governance

How does PCI DSS protect my business? 

PCI DSS can help your organisation in so many ways. It ensures that you are accepting, storing, and processing payment data in the most secure way possible. It can also help you, or the payment organisations you work with, to prepare for and defend against network attacks by hackers looking to harvest card data. 

Aside from protection, it may also boost your brand's reputation. Putting customer safety first is an attractive feature in any business, after all. 

Why does PCI DSS and security matter?

Image of padlock against circuit board/cybersecurity background representing PCI compliance

(Image credit: Future)

Throughout the years PCI DSS continues to develop its guidelines to better protect merchants and consumers from credit card data theft. 

PCI DSS compliance should be a top priority for you as merchant, as securing the customer payment process can lead to an uptake in successful customer sales.

Is PCI compliance required by law? 

Gavel

(Image credit: Tingey Injury Law Firm via Unsplash)

No, PCI DSS compliance is a regulatory standard, not a law. 

However, the legal ramifications and financial penalties for not complying with the standard, especially in the event of a data breach, can be weighty. 

IT Governance report that, under EU GDPR law companies who are non-compliant face "up to €20 million or 4% of [your business'] annual global turnover – whichever is greater" if theft or a network breach takes place.  

What happens if my business is not PCI compliant? Does my business need to be PCI compliant?

If a business is not PCI DSS compliant, they are liable for any fraud that takes place in their organization. Merchants could end up paying thousands in fines if there is a breach in security, and risking consumer loyalty. 

Additional liabilities may include: 

  • Fines upwards of $100,000.00 per month until the merchant is compliant 
  • All fraud losses from the compromised accounts
  • Credit monitoring fees, law suits, and more from state and federal governments
  • Costs to reissue stolen cards
  • Costs for future prevention measures 
  • And more…

PCI DSS provides detailed guidelines for merchants to make the compliance process manageable and successful. Initially, merchants have to complete an annual PCI self-assessment questionnaire

Your level of responsibility will be dependent upon the gross number of Visa, Mastercard or Discover transactions processed within your merchant account. 

Questions for the assessment can include: What do you do with receipts? Do you store card data in any way – and if so, is it written on paper or stored electronically? And others to establish the appropriate level for the merchant. Typically, a payment processing advisor is assigned to the merchant to assist with any questions or concerns. 

What are PCI requirements?

Woman sat on porch using credit card and phone at sunset

Following the PCI DSS requirements helps instil customer confidence when they pay for your services.  (Image credit: Oscar Wong via Getty Images)

There are 12 official PCI DSS requirements. We have condensed these into six points, each listed each below. 

Condensed PCI Security Requirements

1. Build and maintain a secure network utilizing a firewall and thoughtful passwords

2. Protect cardholder data in a safe place, encrypt data across open networks

3. Incorporate anti-virus software and develop secure systems to protect against vulnerabilities

4. Only allow limited, trusted parties to access cardholder data, assign unique IDs for individuals with access, and restrict physical access to data

5. Implement regular system and network tests, and change passwords frequently

6. Establish a security policy for employees and partners

Which PCI level applies to my business?

Woman audits business paperwork for PCI compliance

(Image credit: Kiyoshi Hijiki via Getty Images)

The type of PCI compliance you engage with depends solely on how many transactions you process. 

You'll then know if you need to comply with Level 1, 2, 3 or 4 of PCI DSS compliance. This is regardless of if you are online retailer, or have physical storefront. We take a closer look at the different levels below. 

PCI compliance levels
Level 1 PCI compliance Level 2 PCI compliance Level 3 PCI compliance Level 4 PCI compliance
Applicable if you process: Over 6 million card transactions annually 1 to 6 million transactions annually 20,000 to 1 million transactions annually Less than 20,000 transactions annually
Action to be taken External auditor must conduct business assessment Complete a self-assessment questionnaire (SAQ) Complete a self-assessment questionnaire (SAQ) Complete a self-assessment questionnaire (SAQ)

If your business is completing more than six million transactions a year an External Auditor must conduct a business assessment. This is to support the business, offer guidance, and see how well it is meeting the PCI compliance standards. The auditor the submits a Report on Compliance (RoC).

PCI DSS myths debunked

The PCI Security Standards Council have put together a fantastic list of myths about PCI DSS that tend to deter businesses. A popular one is that it's too hard to setup. Beyond that, we've referenced other myths below, so you can quash industry gossip and become PCI compliant without any doubts. 

Simply swipe through the slide deck, using the arrows either side of the slide. 

Image 1 of 17

PCI myth

(Image credit: Future)
Image 2 of 17

PCI myth

(Image credit: Future)

If your customers use cash, or a credit or debit card to pay for your services, you should be PCI DSS compliant.

Image 3 of 17

PCI myth

(Image credit: Future)

False! PCI applies to all businesses who require payment. 

Image 4 of 17

PCI myth

(Image credit: Future)

Not true. You need to comply with the full criteria. 

Image 5 of 17

PCI myth

(Image credit: Future)

You need to protect all customer payment related data.

Image 6 of 17

PCI myth

(Image credit: Future)

This is false, you need to be compliant regardless of business size. 

Image 7 of 17

PCI myth

(Image credit: Future)

Nope, completely untrue...

Image 8 of 17

PCI myth

(Image credit: Future)

Very bad idea. Your business will be open to extra penalties if you wait for this, or any other signal that you need to comply.

Image 9 of 17

PCI myth

(Image credit: Future)

False. 

Image 10 of 17

PCI myth

(Image credit: Future)

Wildly inaccurate and potentially illegal if you store customer data without consent. As a merchant you should not store:


Image 11 of 17

PCI myth

(Image credit: Future)

Not true. 

Image 12 of 17

PCI myth

(Image credit: Future)

It is your responsibility to ensure your business is PCI DSS compliant, don't leave it up to another business, or chance. 

Image 13 of 17

PCI myth

(Image credit: Future)

PCI compliance affects every area of the business, because the financial penalties you may receive if you don't comply will mean every area of your business loses money. 

Image 14 of 17

PCI myth

(Image credit: Future)

To an extent, yes, but it's not hacker-proof. 

Image 15 of 17

PCI myth

(Image credit: Future)

Untrue. 

Image 16 of 17

PCI myth

(Image credit: Future)

You may need an external auditor, but this depends on the number of transactions you process per year. So, maybe depending on your business. 

Image 17 of 17

PCI myth

(Image credit: Future)

See myth #9. 

What is the relationship between PCI DSS and EMV compliance? 

Visa and MasterCard PCI compliant credit cards

(Image credit: Pexels)

PCI DSS is a set of security standards to implement alongside EMV technology. Meanwhile, EMV is incorporated to prevent fraud. Read our full guide to What is EMV?

Final thoughts

While PCI compliance allows merchants the opportunity to take the right steps to protect their business and customers from fraud, it is not hacker-proof. Business owners should be mindful to look for other security layers that protect customer data. 

Looking at years past, the most problematic areas merchants have with requirements include security system processes and testing, security policies and management, and maintaining secure systems. 

In the end, business owners must take action and must think towards the future. As a society, our digital footprint is in its infancy and as technology evolves, so must security to protect merchants and consumers. Solutions can make a world of difference when smart processes and strategies are implemented in conjunction. 



Comments