What Is PCI Compliance? A Guide
If you’ve researched accepting credit card payments, you may have heard of PCI compliance. PCI is only half of an abbreviation: PCI DSS, which is short for Payment Card Industry Data Security Standard. The Payment Card Industry Security Standards Council (PCI SSC), created the PCI DSS in order to create a single set of rules for the entire industry.
The PCI SSC itself is an independent body, which operates with input from all the major credit card companies. In fact, it was founded by a partnership between Visa, MasterCard, American Express, Discover, and JCB. The reason for their cooperation is simple. All the major brands have a interest in security. And since they need to do business with each other, they want to make sure other card carriers are also secure. Hence, the creation of an industry-wide standard.
One thing we should point out is that the PCI SSC is not responsible for enforcing PCI DSS standards. Instead, individual card companies police their business partners to make sure they are in compliance. The PCI DSS doesn’t just apply to card companies and their partners, either. It applies to any organization that accepts card transactions. It also applies to organizations that handle cardholders’ personal information.
Here’s a closer look at PCI compliance, and what it means for your business.
Here’s What We’ll Cover:
What Are the Different Compliance Levels?
PCI Compliance Basics
PCI-DSS compliance is not a regulatory requirement to accept payments in the UK. However, it’s required by court precedent in the US, which is an issue if you do any trans-Atlantic business. Moreover, it’s still an industry requirement, an agreed-upon security protocol. If your business signed a credit card network agreement, it’s going to be part of that agreement.
The PCI SSC has updated the PCI standards to apply to online transactions as well as in-person purchases. These include encryption requirements to make sure sensitive cardholder information is secure.
PCI Compliance Requirements
Basic PCI compliance means ensuring secure storage and transmission of cardholder data. Your business needs to be able to demonstrate that it’s running secure systems on a secure network. This is to ensure that hackers and other bad actors won’t obtain unauthorized access to cardholder data. For good actors to get authorized access to cardholder data, they need to be PCI compliant.
So, what does this mean for you? In many cases, very little. If you’re engaged in a low-level online credit card for a small ecommerce site, you might not have to do anything. On the other hand, for larger businesses, the requirements can be higher. There are different compliance levels, which we’ll talk about in a minute.
There are 12 key requirements, 78 base requirements, and 400 test procedures in the PCI-DSS guidelines. If you want to read the complete PCI requirements, you can find them here. Without going too far into the weeds, here are the 12 key security requirements:
- Companies must utilize anti-virus software
- Implement firewalls on all systems processing credit and debit card transactions
- Implement password policies (e.g. no default passwords)
- Security controls in place to protect cardholder data
- Use of encryption for cardholder data
- Maintain security systems and update them regularly
- Limit access to cardholder data
- Limit physical access to data
- Unique IDs for all users with access to network resources
- Access logs for the cardholder data environment
- Test security systems on an ongoing basis, and update security parameters as needed
- Document a clear, actionable policy for your security programs
After reading the standards, the next step is to perform a PCI DSS self-assessment questionnaire. This self-assessment questionnaire is designed to help you identify any security vulnerabilities. At this point, you need to pass a vulnerability scan from a licensed vendor. Only larger merchants will need to complete the scanning process.
Upon completion of a passing scan, you’ll need to complete the PCI Attestation of Compliance. At that point, you submit your information to the PCI SSC. You’ll receive your PCI certification, and you’ll be ready to do business with most major card brands.
What Are the Different Compliance Levels?
In total, there are four levels of PCI compliance. Which level you fall into depends on your sales volume over a 12-month period. For this purpose, PCI SSC uses Visa card transactions as a proxy. This count is based on a total of transactions across your corporate entity. If you do business as several brands, you’ll need to total up those transactions.
However, there’s an exception. If the company stores data in a central location, they count as a single entity. But if each brand handles its own card data storage, they count as separate entities.
Here are the four PCI compliance levels, as defined by Visa:
- Merchant level 1 – Any merchant who processes 6 million or more Visa transactions in a calendar year. Visa may also require PCI level 1 compliance documentation for businesses that it deems to be a risk. Typically, this happens to mid-sized companies that have experienced a huge surge in sales.
- Merchant level 2 – Any merchant who processes between 1 million and 6 million Visa transactions in a calendar year.
- Merchant level 3 – Any merchant processing between 20,000 and 1 million online Visa transactions in a calendar year.
- Merchant level 4 – Any merchant processing less than 20,000 online Visa transactions per calendar year. Merchants whose other sales total less than 1 million per year.
Why Become PCI Compliant?
So, why would you want to become PCI compliant? As should be obvious by now, the answer is simple. If you’re not compliant, you risk being cut off from the major payment card brands. Without access to these payment brands, you’re liable to lose a significant amount of business. That said, there are other reasons to become compliant.
For one thing, most PCI requirements are common sense. It makes sense for any business to have a vulnerability management program. Along the same lines, if you’re not using antivirus software, you’re not paying attention. This doesn’t just apply to high-risk enterprises, either. It applies to anyone who stores cardholder data.
Think about it. 95% of cybersecurity breaches aren’t even intentional – they’re caused by human error. Moreover, 86% of cyber thieves were motivated by money. This means they were stealing it – maybe even from you or your company.
For another thing, taking care of your customers’ data is the right thing to do. When people spend money with your business, they’re trusting you with their card data. They’re not expecting to see it stolen. Even if they’re able to cancel the charges and get a new card, it’s going to inconvenience them. This is a black eye for your brand.
Fundamentally, PCI compliance isn’t about meeting some government mandate. Even industry enforcement is lax. But the system relies on customers being able to trust businesses and financial institutions to do the right thing. The last thing you want to be known as is the company that lost everyone’s data. It’s worth investing money upfront to make sure you’re compliant.
Key Takeaways
As you can see, PCI compliance is an important consideration for any business or nonprofit. If you’re not already compliant, you probably should be. And if you are, it doesn’t hurt to pass a scan, just in case there are any issues down the line. If nothing else, your legal department will sleep better at night.
If you enjoyed this guide and found it useful, you might want to look at some of our other articles. Take a look at our resource hub, which is jam-packed with tips, tricks, and useful information.
RELATED ARTICLES