It would take almost ten years for the world to recognise that, as the internet was evolving in the late 1990s, so was online payment fraud.
Consequentially, credit card industry leaders developed a set of payment security standards. In December 2004, American Express, Discover Financial Services, JCB International, Mastercard, and Visa teamed up to introduce PCI DSS 1.0 .
Fast forward to today, and card fraudsters and network hackers have to contend with advanced PCI DSS version 4.0 (opens in new tab).
Don't allow your business to become complacent, though. Even industry-leading POS systems are still at risk of a card data security breach, so it's best to use precaution and become PCI compliant. In late 2020, Forbes reported on two payment terminal manufacturing giants who unintentionally made hacking customer credit card data easier (opens in new tab).
These days an independent body—created by the founding members of PCI DSS, (namely, the PCI Security Standards Council (PCI SSC) (opens in new tab))—manage and administer PCI DSS. In this quick read, we'll explore the definition of PCI, business benefits, implications when not adhered to, and how staying compliant can build customer confidence.
What is PCI DSS compliance?
Payment Card Industry Data Security Standard, or PCI DSS, is a data security standard which protects transactions made with cash, or branded debit and credit cards from the major providers.
How does PCI DSS protect my customers?
It protects purchasers against misuse of their payment and personal information. Complying with PCI DSS is also likely to build trust in the relationships between you and your customers, as they're aware that your business is conforming to a globally recognised information security standard. By doing so, their data is less likely to be breached.
How does PCI DSS protect my business?
PCI DSS can help your organisation in so many ways. It ensures that you are accepting, storing, and processing payment data in the most secure way possible. It can also help you, or the payment organisations you work with, to prepare for and defend against network attacks by hackers looking to harvest card data.
Aside from protection, it may also boost your brand's reputation. Putting customer safety first is an attractive feature in any business, after all.
Why does PCI DSS and security matter?
Throughout the years PCI DSS continues to develop its guidelines to better protect merchants and consumers from credit card data theft.
PCI DSS compliance should be a top priority for you as merchant, as securing the customer payment process can lead to an uptake in successful customer sales.
Is PCI compliance required by law?
No, PCI DSS compliance is a regulatory standard, not a law.
However, the legal ramifications and financial penalties for not complying with the standard, especially in the event of a data breach, can be weighty.
IT Governance (opens in new tab) report that, under EU GDPR law companies who are non-compliant face "up to €20 million or 4% of [your business'] annual global turnover – whichever is greater" if theft or a network breach takes place.
What happens if my business is not PCI compliant? Does my business need to be PCI compliant?
If a business is not PCI DSS compliant, they are liable for any fraud that takes place in their organization. Merchants could end up paying thousands in fines if there is a breach in security, and risking consumer loyalty.
Additional liabilities may include:
- Fines upwards of $100,000.00 per month until the merchant is compliant
- All fraud losses from the compromised accounts
- Credit monitoring fees, law suits, and more from state and federal governments
- Costs to reissue stolen cards
- Costs for future prevention measures
- And more…
PCI DSS provides detailed guidelines for merchants to make the compliance process manageable and successful. Initially, merchants have to complete an annual PCI self-assessment questionnaire (opens in new tab).
Your level of responsibility will be dependent upon the gross number of Visa, Mastercard or Discover transactions processed within your merchant account.
Questions for the assessment can include: What do you do with receipts? Do you store card data in any way – and if so, is it written on paper or stored electronically? And others to establish the appropriate level for the merchant. Typically, a payment processing advisor is assigned to the merchant to assist with any questions or concerns.
What are PCI requirements?
There are 12 official PCI DSS requirements (opens in new tab). We have condensed these into six points, each listed each below.
Condensed PCI Security Requirements
1. Build and maintain a secure network utilizing a firewall and thoughtful passwords
2. Protect cardholder data in a safe place, encrypt data across open networks
3. Incorporate anti-virus software and develop secure systems to protect against vulnerabilities
4. Only allow limited, trusted parties to access cardholder data, assign unique IDs for individuals with access, and restrict physical access to data
5. Implement regular system and network tests, and change passwords frequently
6. Establish a security policy for employees and partners
Which PCI level applies to my business?
The type of PCI compliance you engage with depends solely on how many transactions you process.
You'll then know if you need to comply with Level 1, 2, 3 or 4 of PCI DSS compliance. This is regardless of if you are online retailer, or have physical storefront. We take a closer look at the different levels below.
|Header Cell - Column 0||Level 1 PCI compliance||Level 2 PCI compliance||Level 3 PCI compliance||Level 4 PCI compliance|
|Applicable if you process:||Over 6 million card transactions annually||1 to 6 million transactions annually||20,000 to 1 million transactions annually||Less than 20,000 transactions annually|
|Action to be taken||External auditor must conduct business assessment||Complete a self-assessment questionnaire (SAQ)||Complete a self-assessment questionnaire (SAQ)||Complete a self-assessment questionnaire (SAQ)|
If your business is completing more than six million transactions a year an External Auditor must conduct a business assessment. This is to support the business, offer guidance, and see how well it is meeting the PCI compliance standards. The auditor the submits a Report on Compliance (RoC).
PCI DSS myths debunked
The PCI Security Standards Council have put together a fantastic list of myths about PCI DSS that tend to deter businesses. A popular one is that it's too hard to setup. Beyond that, we've referenced other myths below, so you can quash industry gossip and become PCI compliant without any doubts.
Simply swipe through the slide deck, using the arrows either side of the slide.
What is the relationship between PCI DSS and EMV compliance?
PCI DSS is a set of security standards to implement alongside EMV technology. Meanwhile, EMV is incorporated to prevent fraud. Read our full guide to What is EMV?
While PCI compliance allows merchants the opportunity to take the right steps to protect their business and customers from fraud, it is not hacker-proof. Business owners should be mindful to look for other security layers that protect customer data.
Looking at years past, the most problematic areas merchants have with requirements include security system processes and testing, security policies and management, and maintaining secure systems.
In the end, business owners must take action and must think towards the future. As a society, our digital footprint is in its infancy and as technology evolves, so must security to protect merchants and consumers. Solutions can make a world of difference when smart processes and strategies are implemented in conjunction.