Payment card industry (PCI) compliance refers to the security standards that companies that perform credit card transactions must meet. The PCI Security Standards Council develops the standards which are in place to protect customer data whenever a credit card transaction is processed.
Credit card transactions require the transmission and storage of a lot of a customer’s personal and financial information. Information that could be valuable to hackers and other bad actors. If such payment information falls into the wrong hands, it could be used to commit fraud and/or identity theft. Accordingly, payment card information must be handled carefully, and its security must be a top priority.
On September 7, 2006, the Payment Card Industry Data Security Standard (PCI DSS) was launched. The PCI Security Standards Council was created by the five major credit card companies—Visa, American Express, MasterCard, JCB, and Discover—and provides a framework, tools, and other resources for companies to keep customers’ data secure.
As commerce and payment technology have continued to advance, PCI DSS has also expanded by creating new regulations to protect both businesses and customers. PCI DSS now applies to debit cards and other electronic transactions in addition to credit card payments.
The world of PCI can appear complicated, leaving many business owners wondering: “What is PCI compliance, and does it concern my business?” We’ve put together this handy guide to lead you through all the intricacies and challenges of maintaining PCI compliance.
What is PCI Compliance?
PCI compliance guidelines were originally established to prevent costly data breaches at credit card companies. A rash of credit card data breaches over the past decade, including millions of customers at Target, Saks, and Home Depot being affected, has highlighted the great concern for protecting customer data.
The PCI Security Standards Council established a 12-item checklist for PCI compliance (more on that below). Additionally, there are four levels of PCI compliance, based on how many transactions a business handles each year:
- Level 1: Businesses that process more than six million transactions per year.
- Level 2: Businesses that process between one and six million transactions per year.
- Level 3: Businesses that process 20,000 to one million transactions per year.
- Level 4: Businesses that process less than 20,000 transactions per year.
Level 1: Over 6,000,000 Transactions
There are a few ways that qualify your business in this category. The first is if you are a merchant who collects credit card information and processes over six million credit card transactions in one calendar year.
You can also qualify if you process more than 2.5 million American Express transactions.
The third way to qualify for level 1 is to have had a previous cyberattack or data breach that resulted in compromised credit card data. You only need one data breach and one piece of credit card data stolen to qualify into this category.
Level 1 businesses must have an annual external audit that checks technical documentation, evaluates payment controls, ensures the scope of the assessment, provides support to help achieve and understand compliance, and determines whether the PCI DSS compliance checklist is being met.
If you qualify for this level, you must complete a risk assessment questionnaire each year using the appropriate self-assessment questionnaire. You will also need to complete an Attestation of Compliance (AOC), which certifies that you are eligible to perform the self-assessment questionnaire.
Level 2: 1,000,000 - 6,000,000 Transactions
Businesses that fall into levels 2 through 4 can complete a Self-Assessment Questionnaire (SAQ), which consists of nine parts. Each part applies to specific businesses based on their level and how they process payments.
Another way to qualify is if you are a merchant who collects credit cards and processes between one million and six million transactions in one calendar year. You can also qualify if you process between 50,000 and 2.5 million American Express transactions.
Level 3: 20,000 - 1,000,000 Transactions
You may qualify for level 3 if you are a merchant who collects credit card information and processes between 20,000 and one million VISA and Mastercard ecommerce transactions in one calendar year. You can also qualify if you process fewer than 50,000 American Express transactions in one year.
Level 4: Less than 20,000 Transactions
To qualify for level 4, you are a merchant who collects credit card information and processes less than 20,000 ecommerce transactions in one calendar year and less than one million total Visa and MasterCard transactions. There is no level 4 for American Express transactions.
Some businesses that are not used to handling sensitive information may find it challenging to achieve PCI compliance. However, managing and protecting data is easy with the right partnerships. Businesses looking to become PCI compliant can bring in security consultants or qualified security assessors to make sure they have the appropriate security standards.
PCI compliance might sound familiar to businesses that deal with medical data and compliance with the Health Insurance Portability and Accountability Act (HIPAA). There are, in fact, some similarities in protecting personal information when comparing HIPAA vs. PCI.
Both PCI and HIPAA set out guidelines which businesses that deal with sensitive information must adhere to or face potential fines and lost business.
Similar to how businesses looking to achieve HIPAA compliance seek out HIPAA compliant website hosting, finding a PCI compliant hosting provider can be a turnkey solution that provides regular checks on security, addresses threats, and provides a safe hosting environment for sensitive data.
When is PCI Compliance Required?
Two of the most common questions business owners who process credit card transactions ask themselves are: “What is PCI compliance?” and “When is PCI compliance required?”
Put simply, if your business accepts credit card payments—either physically or online—you need to be PCI compliant. If you plan on processing, storing, or transmitting any type of credit card information, getting compliant is the way to go.
PCI compliance is not something to be taken lightly. Failure to comply with PCI guidelines can be damaging to businesses in multiple ways, making the PCI compliance cost well worth the investment.
Firstly, suffering a data breach and leaving customer data exposed to third parties can ruin a reputation. Trust between a business and customer takes a while to establish and once it is eroded, it is incredibly difficult to reestablish.
In addition to a diminished reputation, businesses can also take a sizable hit in the checkbook for non-compliance. Credit card companies can issue fines to banks of between $5,000 and $100,000 per month for lack of compliance.
Once the bank receives the PCI non-compliance fee, it often passes the fine on to the responsible merchant. On top of the fine, the bank also could raise transaction fees for the merchant or end their partnership altogether.
PCI Data Security Standards (DSS)
The PCI DSS is largely centered on the professional handling and storage of financial data. Businesses, both online and brick-and-mortar, must:
- Have a secure network.
- Protect customer data.
- Strictly control user access.
- Manage security policies.
- Implement a vulnerability management program.
- Perform external security audits.
PCI compliance can be complicated for businesses not used to dealing heavily with data due to its technical aspects. Therefore, it is often easiest for businesses to hire external experts or consultants to establish a program to maintain compliance.
eCommerce sites can choose self-hosted stores that make it easier for businesses to become PCI compliant. For example, Magento PCI compliance and WooCommerce PCI compliance can be easily accomplished by following the appropriate steps and working with the platform.
PCI compliance is vital, not only to avoid fines, but to also build trust with clients and run a successful business. Companies can further aid their quest to maintain compliance by regularly referring to the PCI DSS compliance checklist.
PCI Compliance Checklist
The PCI Security Standards Council has developed a checklist that regulates businesses that handle credit card information. A quick way to get an overview of what is PCI compliance is by getting familiar with the PCI compliance requirements checklist.
The 12 requirements for PCI compliance are:
1. Implement Firewalls to Protect Data
Firewalls are a system’s first line of defense against hackers, doing so by blocking any outside entities from accessing private data. This form of cybersecurity is greatly effective at protecting data from unauthorized parties.
2. Use Appropriate Password Protection
Update factory passwords on equipment such as point-of-sale devices and routers to make them less accessible. Change passwords often and keep a list of all devices that require passwords. Use a mix of numbers, characters, and capital letters to create strong passwords and differentiate them from common words.
3. Protect Customer Data
Use algorithms to protect card numbers and information with encryption keys. Regularly check and scan primary account numbers to make sure all data is encrypted so even if someone penetrates the firewall, the data will be useless without the encryption key.
4. Encrypt Cardholder Data when Transmitted
Customer data is regularly transmitted from homes to stores, payment processors, and banks. During all these transmissions, the data must be encrypted. Before sending any data, make sure you are sending it to the appropriate location, and never send account information to an unknown location.
5. Use Antivirus Software
One of the easiest steps to take on the checklist is to install antivirus software—something which is already on most personal computers. Be sure to regularly check for patches and updates to the software and make sure your POS platform also has antivirus software installed.
6. Regularly Update Software
Some software automatically updates, but it is important to check all business software for the latest updates. Many updates include important security features that will keep data safe from some of the latest threats.
7. Restrict Access to Data
View all credit card data as being on a “need-to-know basis.” Business partners, staff, and employees who do not need access to data for their job should not have access. Keep track of those who do need to access the data and regularly update the information as restrictions change.
8. Assign Unique IDs for Those with Access
Having only one access code for data makes it more likely that the access code will be shared and become compromised. Create a login and password for every person who needs to access data to keep track of who accesses the data and when they access it.
9. Restrict Access to Physical Data
Data that is kept on paper or on an external hard drive needs to be locked in a secure drawer and/or room. Keep a log of everyone who accesses the physical data.
10. Develop and Monitor Access Logs
Use software to track how data flows through the organization and physical logs of who enters rooms or buildings with sensitive information. Record when and how often primary account numbers and cardholder data is accessed.
11. Test Security Systems Regularly
All the previously mentioned security measures need to be regularly checked for effectiveness and to discover potential weaknesses. Both physical and network security face growing and evolving threats, and cardholder data can only remain protected if security is regularly monitored.
12. Document All Policies
Keep an inventory of all equipment and software used to process credit cards, all employees with access to data, and all physical locations that hold sensitive information. Document where data flows and exactly how it is used beyond the point of sale.
To effectively maintain compliance, companies should regularly consult the checklist to take note of any new vulnerabilities or failings which may arise. If there are any new concerns, remediation should be immediate.
Avoiding storing credit cardholder information at all unless it is necessary for repeat payments is a good way to avoid falling out of compliance. When checklists are complete, compliance reports are to be submitted to the acquiring banks and card brands that serve as partners.
Benefits of PCI Compliance
Clearly, there is a lot that goes into PCI compliance and businesses have some adjustments to make to company policy to meet the requirements. However, companies with a clear understanding of what PCI compliance is see several benefits, including:
- Increased Security and Trust: PCI compliance means businesses have greater security which establishes trust, grows a company’s reputation, and leads to repeat customers and growth.
- Reputation Growth Among Partners: Compliant companies are seen as more reliable by credit card brands and banks.
- Improved Overall Security: Many companies use PCI compliance as an opportunity to reevaluate and improve corporate-wide security and IT infrastructure. Many of the practices put in place for PCI compliance can be expanded to other parts of the company and assist in meeting other regulations such as HIPAA compliance.
- Improved Payment Security: PCI compliant companies contribute to world-wide credit card security, making payments more secure in the future.
PCI Compliance and Data Breaches
PCI compliance plays a vital role in preventing data breaches and mitigating fraudulent activity and identity theft. Companies that are PCI compliant display a respect for their customers’ data and their industry as a whole.
Data breaches can have far-reaching effects. They can lead to significant loss of sales and reputation, not just for an individual company but sometimes for an entire business sector if it is seen as vulnerable.
Companies can face fines and lawsuits following data breaches which can compound upon the lost revenue in sales and damaged reputation to put a business on the brink of demise.
So, what is PCI compliance? In short, it is a set of regulations for companies that process credit card transactions to protect their customers’ data and increase security for their own business. While there are some complications in becoming PCI compliant, the benefits—which include mitigating the threat of data breaches and improving security for all future transactions—outweigh any costs a company might face.
Need PCI Compliance? Learn More About PCI Compliant Hosting With Liquid Web
David Gibb is the Financial Controller at Liquid Web. He has over 20 years of experience working in Finance. He is a CPA in Canada, CGMA in the United Kingdom, and a CPA in Australia.
Keep up to date with the latest Hosting news.