What is PCI Compliance?
PCI compliance (or PCI DSS) stands for Payment Card Industry Data Security Standard. While the name may be intimidating enough to make you avoid the topic all together, it’s a good idea to gain a basic understanding of your industry’s PCI. Adhering to it is part of protecting cardholder data as well as the financial information security of your business.
PCI DSS Requirements are standards that were implemented by the five largest credit card companies (Visa, MasterCard, Discover, American Express, JCB) to help reduce costly consumer and bank data breaches.
Around 2006 the role of technology in the workplace changed drastically as the Internet became a vital tool for success to businesses of all sizes. Companies began pushing their products online to increase revenues through various ecommerce platforms.
However, as consumers grew more comfortable using credit cards through an online payment application, the liability of a data breach increased drastically because access to cardholder data was available on public networks.
In response, the credit card companies formed the Payment Card Industry Security Standards Council and set the industry data security standard PCI DSS. These requirements allow for businesses to safely and securely accept, store, process, and transmit card information during a credit card transaction to prevent fraud and data breaches through a payment gateway.
Is PCI compliance a law?
The simple answer is no. While some states have laws that incorporate components of the PCI Data Security Standards, there is no Federal Law that requires you to do so.
Even though there is no Federal Law for a PCI data security standard pci, if your business accepts debit cards or credit card processing from any of the five PCI SSC cards branded above, then you must abide by PCI security standards. Ignoring to do so could result in fines from $5,000 to $100,00 per month to your acquiring bank. The banks will often charge this cost to the merchant account and can terminate contracts or increase fees for transactions in response to breaches and violations.
Other penalties for noncompliance include an increased risk to the financial information of your business and customers as well as fraud losses, termination of the ability to accept credit cards, and even a decrease of sales as a result of lost confidence by customers.
Who is responsible for PCI compliance?
Each individual business is responsible for their PCI compliance. The PCI Security Standards Council created the PCI DSS Self-Assessment Questionnaire which is used for sellers to self-validate their compliance.
A merchant processing over 6 million credit or debit card transactions annually (level 1 merchants) must have an onsite data security assessment by Qualified Security Assessors. However, it is not uncommon for Level 2 or Level 3 merchants to schedule audits because they’re just too big to become PCI compliant by themselves efficiently.
For small merchants, these services may be paid for by their acquiring bank as part of their compliance program – or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS compliance audit. The audit could be done by external or internal security assessors and would ensure you have secure systems and applications. But, if your payment processing is less than 20,000 Visa or MasterCard transactions per year, it most likely doesn’t make sense to pay for an onsite audit.
It is always a good idea to put your money towards internal security. As network resources are becoming an essential part of a collaborative work environment. But, this also means that company information is easier to access, thus more at risk of being stolen. To remain PCI DSS compliant, your company needs to put in place the proper internal controls on your systems and processes.
How to Comply with PCI DSS
While there is no such thing as a “PCI certification” sellers, service providers, financial institutions, and organizations of all sizes need to prove that they are PCI compliant.
The PCI Security Standards Council created the PCI DSS Self – Assessment Questionnaire, which is used for sellers to self-validate their compliance. Compliance requires this evaluation to be submitted each year. This document includes a series of yes or no questions for each applicable PCI Data Security Standard requirements.
The payments security landscape is not just limited to cyber hackers. Many of these restrictions focus on the digital realm, leaving many business owners to overlook the risk of physical access to cardholder data.
Your physical access to devices and systems that hold cardholder data should be restricted. Without any security, it’s easy for anyone to get a hold of sensitive data, even employees.
With so many rules and stipulations, maintaining PCI compliance can be complicated. Many companies hire an Internal Security Assessor ISA sponsor company who are certified through the Council.
The employees of these organizations have undergone extensive training and can act as a resource library when it comes to PCI Data Security Standards, application security, and stored cardholder information.
The 12 Requirements for PCI
- 1Install and maintain a firewall router configuration to protect cardholder data
- 2Do not use vendor-supplied defaults for system passwords and other security parameters
- 3Protect stored cardholder data
- 4Encrypt transmissions of cardholder data across open, public networks
- 5Use and regularly update anti-virus software or programs
- 6Develop and maintain secure systems and applications
- 7Restrict access to cardholder data by business need to know
- 8Assign a unique ID to each person with computer access
- 9Restrict physical access to cardholder data
- 10Track and monitor all access to network resources and cardholder data
- 11Regularly test security systems and processes
- 12Maintain a policy that addresses information security for all personnel
[/show_more]
What Level of PCI Compliance am I?
While each payment card brand has its regulations for validation and reporting, they tend to follow a similar pattern of dividing entities into four pci compliance levels.
Merchant levels are categorized by a combination of factors such as transaction volume within 12 months and security risk as seen in the below table.
It is important to note that each payment card brand has their own PCI compliance programs. However, a business who accepts multiple brands is to follow Visa’s guidelines by default. All entities should contact their payment brands directly to learn about maintaining PCI compliance on their security systems and processes.
Merchant Level | Applicable to | PCI Requirements |
---|---|---|
1 | Merchants processing over 6 million transactions annually across all channels or Global merchants identifies as Level 1 | Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company Quarterly network scan by Approved Scan Vendor (ASV) Evidence of Compliance form |
2 | 1 to 6 million Visa transactions annually across all channels | Complete the PCI DSS Self-Assessment Questionnaire according to the instructions is contains Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation to your acquirer |
3 | Merchants handling 20,000 to 1 million eCommerce transactions per year | Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation to your acquirer |
4 | Merchants handling fewer than 20,000 eCommerce transactions per year and all other sellers that process up to 1M transactions per year | Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer |
How much does it cost to achieve PCI compliance?
Becoming and maintaining a PCI-compliant business can be expensive, depending on the type and size of your company and the compliance level to which you are held.
LEVEL 4: If you store cardholder data electronically or are processing through systems and applications with internet connectivity, then an Approved Scanning Vendor must complete a regular network or web site scan ,and your staff must complete a Self Assessment Questionnaire (or PCI SAQ) and Attestation of Compliance to ensure credit card data protection. This cost could be as low as $60 a month.
LEVEL 3: Your costs will likely involve a regular network or web site by an Approved Scanning Vendor, plus the cost of completing the annual Self Assessment Questionnaire and Attestation of Compliance. Scans of the network or any web applications can are usually as low as $1,200 a year and will go up from there based on the size of your network and number of IP addresses.
LEVEL 2: Costs include a regular network vulnerability scan by an Approved Scan Vendor asv and increase based on the size of your network and number of IP addresses, plus the cost of completing the annual selfassessment questionnaires saqs and Attestation of Compliance. This is usually an all in cost of anywhere between $10,000 and $50,000 year and up.
LEVEL 1: Your costs will involve a regular network vulnerability scan by an Approved Scanning Vendor asvs, an annual Report on Compliance by a Qualified Security Assessor and an Attestation of Compliance. You can expect this to cost upwards of $50,000 depending on your security systems antivirus software.
12 Things You Should Ask Your Credit Card About PCI DSS Compliance
To sum it all up, PCI DSS standards applies to any company that stores, processes, or transmits cardholder data. Implementing PCI DSS protocol is a necessary step to your risk management.
By complying with PCI DSS you can protect the privacy and security of sensitive card data. Protect yourself from losing sensitive data or paying noncompliance fees by staying regularly checking the PCI Security Standards Council website and being familiar with your industry’s PCI standards.
- Are you PCI – Validated?
- How do I become PCI compliant with a credit card?
- What are your guidelines for PCI compliance?
- How do you assist with PCI compliance and fraud protection?
- How can my business avoid non – compliance fees?
- Does your product/service store card information locally?
- Does your product encrypt cardholder data before transmitting it?
- Can you tell me where cardholder data is stored in your system and how it is protected?
- Do you offer any protection in the event of a data breach?
- Will you assist with notifying my customers in the event of a data breach that is your product’s fault?
- Does my business need to fill out a SAQ each year?
- Will you alert me if PCI compliance regulations change?