What is PCI compliance? A Payment Card Industry Data Security Standard (PCI DSS) guide
What is PCI compliance? Learn about the best way to build customer trust and protect your business against theft in the digital age with our PCI guide.
It would take almost ten years for the world to recognise that, as the internet was evolving in the late 1990s, so was online payment fraud.
Consequentially, credit card industry leaders developed a set of payment security standards. In December 2004, American Express, Discover Financial Services, JCB International, Mastercard, and Visa teamed up to introduce PCI DSS 1.0 .
Fast forward to today, and card fraudsters and network hackers have to contend with advanced PCI DSS version 4.0.
Don't allow your business to become complacent, though. Even industry-leading POS systems are still at risk of a card data security breach, so it's best to use precaution and become PCI compliant. In late 2020, Forbes reported on two payment terminal manufacturing giants who unintentionally made hacking customer credit card data easier.
These days an independent body—created by the founding members of PCI DSS, (namely, the PCI Security Standards Council (PCI SSC))—manage and administer PCI DSS. In this quick read, we'll explore the definition of PCI, business benefits, implications when not adhered to, and how staying compliant can build customer confidence.
What is PCI DSS compliance?
Payment Card Industry Data Security Standard, or PCI DSS, is a data security standard which protects transactions made with cash, or branded debit and credit cards from the major providers.
How does PCI DSS protect my customers?
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
It protects purchasers against misuse of their payment and personal information. Complying with PCI DSS is also likely to build trust in the relationships between you and your customers, as they're aware that your business is conforming to a globally recognised information security standard. By doing so, their data is less likely to be breached.
How does PCI DSS protect my business?
PCI DSS can help your organisation in so many ways. It ensures that you are accepting, storing, and processing payment data in the most secure way possible. It can also help you, or the payment organisations you work with, to prepare for and defend against network attacks by hackers looking to harvest card data.
Aside from protection, it may also boost your brand's reputation. Putting customer safety first is an attractive feature in any business, after all.
Why does PCI DSS and security matter?
Throughout the years PCI DSS continues to develop its guidelines to better protect merchants and consumers from credit card data theft.
PCI DSS compliance should be a top priority for you as merchant, as securing the customer payment process can lead to an uptake in successful customer sales.
Is PCI compliance required by law?
No, PCI DSS compliance is a regulatory standard, not a law.
However, the legal ramifications and financial penalties for not complying with the standard, especially in the event of a data breach, can be weighty.
IT Governance report that, under EU GDPR law companies who are non-compliant face "up to €20 million or 4% of [your business'] annual global turnover – whichever is greater" if theft or a network breach takes place.
What happens if my business is not PCI compliant? Does my business need to be PCI compliant?
If a business is not PCI DSS compliant, they are liable for any fraud that takes place in their organization. Merchants could end up paying thousands in fines if there is a breach in security, and risking consumer loyalty.
Additional liabilities may include:
- Fines upwards of $100,000.00 per month until the merchant is compliant
- All fraud losses from the compromised accounts
- Credit monitoring fees, law suits, and more from state and federal governments
- Costs to reissue stolen cards
- Costs for future prevention measures
- And more…
PCI DSS provides detailed guidelines for merchants to make the compliance process manageable and successful. Initially, merchants have to complete an annual PCI self-assessment questionnaire.
Your level of responsibility will be dependent upon the gross number of Visa, Mastercard or Discover transactions processed within your merchant account.
Questions for the assessment can include: What do you do with receipts? Do you store card data in any way – and if so, is it written on paper or stored electronically? And others to establish the appropriate level for the merchant. Typically, a payment processing advisor is assigned to the merchant to assist with any questions or concerns.
What are PCI requirements?
There are 12 official PCI DSS requirements. We have condensed these into six points, each listed each below.
Condensed PCI Security Requirements
1. Build and maintain a secure network utilizing a firewall and thoughtful passwords
2. Protect cardholder data in a safe place, encrypt data across open networks
3. Incorporate anti-virus software and develop secure systems to protect against vulnerabilities
4. Only allow limited, trusted parties to access cardholder data, assign unique IDs for individuals with access, and restrict physical access to data
5. Implement regular system and network tests, and change passwords frequently
6. Establish a security policy for employees and partners
Which PCI level applies to my business?
The type of PCI compliance you engage with depends solely on how many transactions you process.
You'll then know if you need to comply with Level 1, 2, 3 or 4 of PCI DSS compliance. This is regardless of if you are online retailer, or have physical storefront. We take a closer look at the different levels below.
Header Cell - Column 0 | Level 1 PCI compliance | Level 2 PCI compliance | Level 3 PCI compliance | Level 4 PCI compliance |
---|---|---|---|---|
Applicable if you process: | Over 6 million card transactions annually | 1 to 6 million transactions annually | 20,000 to 1 million transactions annually | Less than 20,000 transactions annually |
Action to be taken | External auditor must conduct business assessment | Complete a self-assessment questionnaire (SAQ) | Complete a self-assessment questionnaire (SAQ) | Complete a self-assessment questionnaire (SAQ) |
If your business is completing more than six million transactions a year an External Auditor must conduct a business assessment. This is to support the business, offer guidance, and see how well it is meeting the PCI compliance standards. The auditor the submits a Report on Compliance (RoC).
PCI DSS myths debunked
The PCI Security Standards Council have put together a fantastic list of myths about PCI DSS that tend to deter businesses. A popular one is that it's too hard to setup. Beyond that, we've referenced other myths below, so you can quash industry gossip and become PCI compliant without any doubts.
Simply swipe through the slide deck, using the arrows either side of the slide.
If your customers use cash, or a credit or debit card to pay for your services, you should be PCI DSS compliant.
False! PCI applies to all businesses who require payment.
Not true. You need to comply with the full criteria.
You need to protect all customer payment related data.
This is false, you need to be compliant regardless of business size.
Nope, completely untrue...
Very bad idea. Your business will be open to extra penalties if you wait for this, or any other signal that you need to comply.
False.
Wildly inaccurate and potentially illegal if you store customer data without consent. As a merchant you should not store:
Not true.
It is your responsibility to ensure your business is PCI DSS compliant, don't leave it up to another business, or chance.
PCI compliance affects every area of the business, because the financial penalties you may receive if you don't comply will mean every area of your business loses money.
To an extent, yes, but it's not hacker-proof.
Untrue.
You may need an external auditor, but this depends on the number of transactions you process per year. So, maybe depending on your business.
See myth #9.
What is the relationship between PCI DSS and EMV compliance?
PCI DSS is a set of security standards to implement alongside EMV technology. Meanwhile, EMV is incorporated to prevent fraud. Read our full guide to What is EMV?
Final thoughts
While PCI compliance allows merchants the opportunity to take the right steps to protect their business and customers from fraud, it is not hacker-proof. Business owners should be mindful to look for other security layers that protect customer data.
Looking at years past, the most problematic areas merchants have with requirements include security system processes and testing, security policies and management, and maintaining secure systems.
In the end, business owners must take action and must think towards the future. As a society, our digital footprint is in its infancy and as technology evolves, so must security to protect merchants and consumers. Solutions can make a world of difference when smart processes and strategies are implemented in conjunction.
With over 13-years-of-experience in the marketing, public relations and non-profit fields, Erin is a driven copy and content writer, digital designer, strategic planner and public speaker. Throughout the course of her career, Erin has managed multiple teams, bringing sales and marketing success to non-profits and for-profit organizations. She brings empathetic, devoted leadership to the team, drives growth through tactical thinking and a consummate work ethic.