PCI compliance is hard to understand. Not only is there a knowledge barrier when learning the PCI Data Security Standard, but there’s an enormous executional barrier in meeting its demanding requirements.Getting compliance wrong can result in crippling financial penalties, a marred reputation, and serious legal consequences. We created this guide to make the process a little less scary. It breaks down everything there is to know, from why PCI compliance exists to how you can meet its requirements. Keep reading to learn how to make PCI compliance a breeze.
Table of Contents:
- What Is PCI Compliance?
- Who Is Required to be PCI Compliant?
- What Could Happen if You Aren’t…
- How To Become PCI Compliant
Key Overview:
- PCI Data Security Standards (PCI DSS) are a set of payment card standards that were created by the PCI Security Standards Council (PCI SSC) in 2006.
- PCI DSS were created with the intention of protecting customers’ sensitive card information and requires businesses to follow specific practices when handling card data.
- Failing to comply with PCI standards can lead to fines, card restrictions, and legal consequences for your business.
- You can make sure you stay PCI compliant by following the PCI compliance requirements we have broken down below.
What Is PCI Compliance?
PCI compliance refers to a set of 12 security standards that businesses must obey when working with credit card data. In order to be PCI compliant, you must follow the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS are a set of standards created by the Payment Card Industry Security Standards Council (PCI SSC) in 2006.
The History and Development of PCI DSS
The PCI SSC is a council made up of some of the world’s largest payment card businesses. The PCI SSC was originally comprised of:
- Visa
- MastercardDiscover Financial Services
- JCB International
- American Express
In 2020, UnionPay joined the council.
Since these companies all had their own security standards, the PCI SSC formed to create a unified set of best practices for consumer protection.
In response to the growing number of cyberattacks in the 2000s, the PCI SSC designed a set of standards, known as PCI DSS, to protect customers and businesses that deal with sensitive payment card information.
Development of PCI DSS isn’t limited to the six entities in the PCI SSC. Interested parties can influence the PCI DSS by registering as a Participating Organization. There are currently over 700 Participating Organizations across 60 countries.
We are currently on version 4.0 of the PCI Data Security Standard. This latest version was implemented on March 31, 2022, and was designed to protect consumers from the latest cyberthreats. Businesses have until March 31, 2024 to adopt the latest version of PCI DSS to be considered PCI compliant. The best way to track changes to PCI compliance is by visiting the official PCI website.
Is PCI Compliance Required by Law?
Merchant compliance to PCI DSS is not enforced by the government, the PCI Security Standards Council, or any formal authority, but by the contract businesses sign with their merchant service provider. While this may sound optional, in practice, every merchant is required to have a level of PCI compliance.
Additionally, many service providers, when transferring customers’ credit cards, would require their business partners to also maintain PCI compliance.
What Groups Are Involved in PCI Compliance?
Card Networks
Every card network must follow a set of security requirements based on the standards set forth by the PCI SSC. It is a national legal requirement that card networks abide by PCI DSS.
Business Owners
Business owners must obey the PCI compliance standards that their merchant demands. The extent to which a business must do so greatly depends on their partnered merchant. Punishments for failure vary widely too. Where some merchants charge fees, others cut off access to their services. This could devastate your business, particularly if they’re your sole merchant provider.
Merchant Account Providers or Payment Service Providers
Where payment card providers set the rules in general, merchants ensure that businesses they are in direct contact with follow them, becoming practical administrators in the process. Merchants most commonly enforce PCI DSS in contracts and agreements where they specify which PCI compliance requirements must be observed to work with them.
The PCI Security Standards Council
The PCI SSC is a key player in PCI Compliance. This overarching council continuously updates PCI standards so they stay effective at protecting against modern cyberthreats. Outside of creating the broad set of standards for PCI compliance, the PCI Security Standards Council also:
- Certifies vendors as PCI compliant
- Tests and certifies payment technology
- Collaborates with Participating
- Organizations to adjust PCI DSS
- Researches emerging cyberthreats and technologies
Who Is Required To Be PCI Compliant?
If you are unsure of which PCI compliance measures your merchant service provider needs your business to follow, review your contract and search for mentions of credit card security. Alternatively, ask them directly. The exact level of PCI compliance you’re required to meet depends on your provider, so getting in touch with them may be your best bet.
What Could Happen if You Aren’t PCI Compliant
Failing to comply with PCI standards could lead to catastrophic consequences for your business. The four most common consequences for PCI non-compliance are:
1) Fines
Fines are the most common consequence of failing to meet PCI compliance. Compliance fines can be broken up into three levels:
| Length of Non-Compliance | Fine (Per Month) |
|---|---|
|
1 - 3 months |
$5,000 - $10,000 |
|
4 - 6 months |
$25,000 - $50,000 |
|
7+ months |
$50,000 - $100,000 |
Small businesses are charged the lower range of fees, where large businesses must pay the full amount.
There are additional fines associated with breaches that are the result of failing to comply with PCI standards. These depend on your number of monthly transactions, but are usually between $50 – $90 per customer affected. While that may not sound severe, 500,000 customers having their data compromised leads to fine of $30 million:
500,000 x $60 = $30,000,000
Here’s a chart of what the fines could look like assuming a (modest) fine of $50 per customer affected:
As you can see, these costs add up quickly. While your business may be able to weather a fine of $500,000, are you prepared to pay $5,000,000?
2) Card Restrictions
Merchants frequently impose processing restrictions on businesses that fail to meet security requirements. The severity of these restrictions depends on your offense and the merchant themselves. The most common types of card restrictions include:
- Limitations on specific types of cards
- Establishment of card limits
- Total termination of processing capabilities
3) Legal Consequences
Merchants establish legal clauses in their contract to hold you responsible for failing to meet PCI compliance. This is done to limit their liability and leaves your business vulnerable to legal action from consumers and other parties. Depending on what information was compromised, your business can face serious lawsuits for failing to be PCI compliant.
A data breach due to PCI negligence can even lead to legal penalties from card companies, who will expect reimbursement for their cost of replacing victims’ cards and/or paying them back. These costs can be immense.
4) Loss of Revenue
One of the most serious consequences of PCI noncompliance is revenue loss. This can occur in three ways:
- Data costs from breaches and disaster recovery
- Legal costs from fines and lawsuits
- Opportunity costs from a loss of customers
Customers losing interest in your business is the most severe penalty. Failing to meet PCI standards will impact your reputation. Would you trust your private data to a business that’s known for slip-shod data practices?
Summary: What Is PCI Compliance and Why Is It Important?
PCI compliance refers to following PCI DSS, which are a set of continuously updated security standards for payment cards. While PCI compliance isn’t legally mandated, it is required in practice. Failing to be PCI compliant could cause your business to face serious fines, struggle with card restrictions, and deal with legal consequences.
Our Guide on How To Become PCI Compliant
Now that you understand the importance of PCI compliance, let’s dive into the specifics of PCI DSS and learn what you can do to stay compliant.
What Are the PCI Compliance Levels?
The PCI SSC has designed four different levels of PCI compliance. What level you fall into depends on the size of your business. Larger businesses must follow stricter data security standards. The four levels are as follows:
| Compliance Level | Processing Requirements |
|---|---|
|
1 |
Over 6 million card transactions annually |
|
2 |
Between 1 - 6 million card transactions annually
|
|
3 |
Between 20,000 - 1 million transactions annually |
|
4 |
Less than 20,000 transactions annually |
Each of these levels has unique requirements. The higher your level, the more rigorous your organization must be in implementing effective information security practices. Want to learn more about the specific requirements for your organization’s level? Check out the PCI DSS: v4.0 yourself!
Alternatively, keep reading and we’ll break down the main components of PCI compliance, its 12 core requirements, and how you can become PCI compliant.
The 3 Main Components of PCI Compliance
Lock down these three parts of your card data practices to achieve PCI compliance:
Handling Card Data
If your business handles sensitive card data for any amount of time, you’re subject to the security controls in PCI DSS. However, these standards can be simplified by working with third-party solutions. The right partner can ensure that card data never touches your servers, and can simplify PCI compliance.
Storing Data Securely
Your cardholder data environment (CDE) is made up of the people, processes, technologies, and systems that handle credit card data in your business. Everything that comes in contact with the CDE is subject to the full scope of PCI DSS requirements. This is why separating your CDE from the rest of your business is crucial. Ideally, you want your CDE to be as narrow as possible.
Annual Validation
The final component of PCI compliance is its annual validation forms. There are a few situations where an organization could be asked to prove its compliance:
- Payment processors may request it for their reports to payment card businesses
- Business partners can ask for validation before entering into an agreement
- Customers can request it to verify your data security standards.
The 12 PCI Compliance Requirements:
Now that we understand the varying levels of compliance and the 3 main components that the PCI DSS focuses on, let’s review the 12 specific requirements that every PCI compliant business must meet:
1) Install and Maintain a Firewall
Effective firewalls are the first step to achieving PCI compliance and are foundational to establishing a good card security system. They are the first line of defense against hackers, as they block unknown entities from accessing your private data.
2) Avoid Default Passwords and Security Measures
All password-enabled devices come equipped with default security measures. Cybercriminals are usually familiar with how to breach these default defenses—refusing to update them puts your business in grave danger. Stay PCI compliant by keeping a comprehensive list of all of your password-enabled devices and confirming that you’ve changed every password. Repeat this process at least every six months.
3) Protect Stored Cardholder Data
PCI DSS mandate that cardholder data is backed with two-fold protection, which encrypts it with algorithms with additional security from encryption keys. The dual layers make it much more difficult for cybercriminals to compromise cardholder data. This requirement also demands regular verification that primary account numbers are encrypted.
4) Encrypt Transmission of Cardholder Data Across Public Networks
If your cardholder data goes through public channels, PCI DSS requires those transmissions to be encrypted. This ensures a basic level of defense for your clients’ account numbers, even if they’re being sent through hazardous channels. Aren’t sure what channels your cardholder data goes through? A professional can help you get the answers you need.
5) Use Current Anti-Virus Software and Programs
PCI DSS requires up-to-date antivirus software for every device that interacts with primary account numbers (PAN). Keep your company protected with the latest antivirus updates.
6) Develop Secure Systems and Applications
Failing to update your systems could lead to exploitable weaknesses in your network to emerging cyberthreats. This is why PCI DSS requires all of your software to be updated to its most recent version. Enabling automatic updates takes the process out of your hands, so you can focus on your core business processes.
7) Restrict Access to Cardholder Data by Business Need-to-Know
PCI compliance demands that data is distributed strictly on a “need-to-know” basis. Anyone that doesn’t need access to cardholder data—whether it’s an executive or clerk—shouldn’t have access. This step also requires that every member of your team in contact with sensitive data is monitored to keep them honest and accountable.
8) Identify Users With Unique IDs
PCI DSS requests that everyone who accesses sensitive cardholder data be given unique identifiers. These create a more transparent system with greater accountability. When everyone uses the same account it gets tough to tell who’s doing what. Unique IDs eliminate this issue by creating a system where every action is attributable to a specific individual.
9) Restrict Physical Access to Cardholder Data
If your business has physical copies of cardholder data, PCI DSS states that they must be physically secured in a safe location. Examples of physical cardholder data include:
- Receipts
- Reports
- Faxes
- Customer Order Forms
- Hard Drives
Not only should all of these objects be locked away, a record must be made every time they’re accessed. This system guarantees that someone can be held accountable if something happens.
10) Log, Monitor, and Track all Access to Systems Involving Cardholder Data
On the topic of accountability, PCI DSS require that comprehensive logs are kept that record all activity around PAN. Don’t neglect this! Failing to keep consistent track is one of the most common places where businesses fail to meet compliance.
11) Regularly Test Security Systems and Processes
This step of the PCI DSS aims to verify the strength of your security practices. Meeting PCI standards is an elaborate process—it’s likely that one part of your implementation isn’t working as intended. The best way to check and see if your PCI is working properly is with regular scans of your network.
In addition, the PCI DSS recommends conducting vulnerability and penetration testing. These tests identify weaknesses in your network, and can help you lock down cardholder data.
12) Support Information Security With Policies and Programs
Finally, PCI compliance requires you to continuously support your information security with new policies, programs, and documentation. This part exists to ensure that your business keeps up with the most modern processes.
Summary: What Are The PCI Compliance Requirements and What Do You Need to Do?
PCI compliance involves three aspects of data security—handling, storing, and an annual validation. Your business can stay PCI compliant by understanding your compliance level and tracking changes on the official PCI website. The best way to meet the current requirements for PCI DSS v4.0 is by:
- Installing Firewalls
- Using Strong Password Protocols
- Protecting Cardholder Data
- Developing Accountable Systems
- Using Current Antivirus Software
- Continuously Improving Your System
- Partnering With a Professional
Make PCI Compliance Simple
Not meeting PCI compliance can lead to huge fines, reputational damage, and legal consequences that could lead to your business’s failure. Does the prospect of facing it alone intimidate you? If so, PCI Booking is here to help!
PCI Booking offers a compliance level 1 outsourced solution for all of your business processes that involve credit card details. By working with us, you inherit this level, giving your business a scalable solution to all your compliance needs. We’re constantly studying and tracking every development to PCI DSS, so you can put your trust in us. Make PCI compliance simple and partner with us today!
