angle graphic

June 28, 2021

What is PCI Compliance and Why is it Important?

Samantha Hubay

Written by:

Samantha Hubay

What is PCI Compliance and Why is it Important?

Security is one of the primary concerns for most business owners today.

If you're a business owner yourself, you understand the importance of installing security cameras and alarms and ensuring your doors and windows are locked up at night.

At one point or another, you've probably worked with a security company to explore these options and more for your business.

Your security company representative likely shared their professional opinions with you and maybe some advice for how to keep your most valuable assets safe.

After working with a company like this, you probably feel pretty confident about how your security equipment works and what it does for your business. That's great!

Now, how much do you know about securing payment processing equipment and cardholder data?

If your instinct after reading that question is to furrow your brow or scratch your head, you're in the right place.

As a payment processor, we're kind of like a security consultant for your data. And today, we'd like to share some professional advice with you.

This post will tell you everything you need to know about maintaining compliant security standards for the safety of your business and your customers' payment data.


Table of Contents

  1. What Does PCI Compliance Mean?
  2. About the PCI SSC
  3. Why is PCI Compliance Important?
  4. What Are The Benefits Of PCI Compliance?
  5. PCI Security Requirements
  6. What Are The Requirements for PCI Compliance?
  7. How to Become Compliant
  8. Are There Consequences For Non-Compliance?
  9. What Are The PCI DSS Compliance levels?
  10. What Does It Cost To Be PCI Compliant?
  11. Resources for Business Owners

 

What Does PCI Compliance Mean?

The Payment Card Industry Data Security Standard (PCI DSS) is meant to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

Launched on September 7, 2006, it manages PCI security standards and improves account security throughout the transaction process.

It's an independent body created by Visa, MasterCard, American Express, Discover, and JCB.

The PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS.

 

About the PCI Security Standards Council

If you accept credit card payments, you must achieve and maintain compliance with the PCI Security Standards Council (PCI SSC).

The PCI SSC is a global organization that maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe.

It was founded in 2006 by American Express, Discover, JCB International, Mastercard, and Visa Inc., who all share equally in the Council's ownership, governance, and execution.

The organization serves those who work with and are associated with payment cards, including merchants, financial institutions, point of sale vendors, and hardware and software developers.

The main priorities of the PCI SSC are to help merchants and financial institutions protect their payment systems from breaches and theft of cardholder data and help vendors understand and implement standards for creating secure payment solutions.

Violating PCI compliance can lead to hefty fines for you and your business.

 

Why PCI Compliance is Important

what-is-pci-compliance

So, what does all this mean for you as a business owner?

To put it plainly, you, your bank, and your payment processor all need to adhere to the payment security standards set by the Council.

If you don't follow these standards and continue to accept credit card payments, you face devastating potential liabilities such as:

  • Diminished sales
  • Fines and penalties
  • Fraud losses
  • Legal costs, settlements, and judgments
  • Loss of customer confidence/trust
  • Termination of your merchant account

No one wants to deal with headaches and heartbreaks like these.

That's why maintaining PCI compliance is essential! Without it, you could be putting your entire business and all of your customers at risk.

 

What Are The Benefits Of PCI Compliance?

PCI DSS compliance is not a legal requirement, but it's necessary if your company works with a major payment card network.

PCI DSS can be difficult, but compliance with PCI standards doesn't have to be a hindrance.

If you do it right, it's a business investment with several benefits.

When you achieve the appropriate level of PCI DSS compliance, your business can:

  • Work with payment processors to create an online marketplace.
  • Partner with card issuers to launch your payment card.
  • Comply with other compliance standards, like GDPR or HIPAA
  • Minimize the risk and impact of a breach.
  • Build trust with customers and partners.

Let's look at the specific standards you must follow to accept credit cards and how to become PCI compliant.

 

PCI Security Requirements

The best way to secure cardholder data and avoid losses like the ones mentioned above is to continuously monitor and enforce the use of controls specified in the PCI Data Security Standard (PCI DSS).

Now you may be wondering, what does the PCI Data Security Standard specify?

You can find all the details you need in the PCI DSS Quick Reference Guide. Some of the subjects explored in this document include:

  • PCI Data Security Standard
  • PIN Transaction Security Requirements
  • Payment Application Data Security Standard
  • Point-to-Point Encryption Standard
  • Card Production Logical Security Requirements and Physical Security Requirements
  • Token Service Provider Security Requirements

 

What Are The Requirements for PCI Compliance?

secure-payment-transaction

To be PCI DSS compliant, your business needs to complete all 12 requirements included in the security standard.

These 12 requirements contain hundreds of sub-requirements, which go well beyond firewalls, anti-virus software, strong passwords, and other security controls.

Some are difficult for smaller organizations to meet, especially if they don't have any help.

The 12 PCI requirements for PCI DSS compliance are:

  1. Installing and maintaining a firewall configuration to protect cardholder data
  2. Never using vendor-supplied defaults for system passwords or other security parameters
  3. Always protecting stored cardholder data
  4. Encrypt transmission of cardholder data across open and public networks
  5. Using and updating anti-virus software or programs
  6. Developing and maintaining secure systems and applications and a secure network
  7. Restricting access to cardholder data by implementing strong access control measures
  8. Assigning unique IDs to each person with computer access
  9. Restricting physical access to cardholder data
  10. Tracking and monitoring all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a security policy that addresses information security for employees and contractors

Building a PCI-compliant information security infrastructure can be daunting for small and medium-sized businesses.

Each requirement involves expertise and a different cost and timeframe for successful implementation.

 

 

How to Become PCI Compliant

As we mentioned before, the PCI Security Standards Council is equally owned and governed by major credit card brands American Express, Discover, Mastercard, Visa, and JCB International.

This means that the individual card brands are responsible for validating and enforcing your compliance.

All brands have agreed to incorporate the PCI DSS (check out the quick reference guide here) as part of the technical requirements for their data security programs.

However, they may have other requirements for you to follow.

Click here for a complete list of the card brands with links to their data security pages.

Once you have read and understood what is expected of your business from the card brands you accept and the PCI SSC, you must follow a three-step continuous process to become PCI compliant.

STEP ONE: ASSESS

Identify cardholder data, take an inventory of IT assets and business processes for payment card processing, and analyze them for vulnerabilities.

STEP TWO: REMEDIATE

Fix vulnerabilities and eliminate the storage of cardholder data unless absolutely necessary.

STEP THREE: REPORT

Compile and submit required reports to the appropriate acquiring bank and card brands.

Your payment processor should be able to help guide you through this process.

And because the process of achieving and maintaining PCI compliance is always ongoing, your payment processor should also be there to help make sure your business does not fall out of compliance.

If your current processor is not offering the support you need, reach out to Electronic Merchant Systems!

We have been a PCI-certified vendor for more than a decade and would be happy to help you achieve and maintain these essential security standards.

 

Are There Consequences For Non-Compliance?

Like we said earlier, PCI requirement is not a law, but being out of compliance can be a big deal.

If your business does not comply with PCI standards, you're at risk for data breaches.

If a breach does occur, you're at risk for fines, card replacement costs, costly forensic audits, and investigations into your business.

Penalties aren't highly publicized, but they can destroy your businesses.

Let's say your company violates PCI-compliance standards.

The first thing likely to happen is a heavy fine from the credit card brands ranging from $5,000 to $100,000 per month to your acquiring bank.

The banks often pass these fines along to the merchant and terminate contracts or increase transaction fees.

But the repercussions go beyond the financial cost.

According to PCI Security Standards, failing to comply with PCI standards and resulting data breaches could result in:

  • Lost confidence from your customers
  • A decrease sales
  • The hassle and cost of reissuing new payment cards
  • Fraud losses
  • Increased costs of compliance
  • Legal fees, settlements, and judgments
  • Fines and penalties
  • The loss of the ability to accept payment cards
  • Lost jobs
  • Going out of business

 

What Are The PCI DSS Compliance Levels?

PCI DSS compliance has different levels based on how many credit card transactions you handle each year.

PCI Compliance Level 1 is the most stringent.

The guidelines for merchants are as follows:

  • Level 1: A business producing over 6 million card transactions per year or any company with a data breach.
  • Level 2: A business that processes between 1 million and 6 million card transactions per year.
  • Level 3: A business that processes between 20,000 and 1 million e-commerce card transactions per year.
  • Level 4: A business that processes fewer than 20,000 e-commerce card transactions per year or any business processing up to 1 million regular card transactions per year.

 

What Does It Cost To Be PCI compliant?

It can be costly to become and maintain a PCI-compliant business.

Your costs will depend on the type and size of your company and the compliance level to which you are held.

Level 4 is the cheapest level, and the price can range between $60 to $75 a month.

These costs include an Approved Scanning Vendor (ASV), who should complete a regular network or website scan.

It also includes completing a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance by you or your staff.

Level three is $1,200 a year and up and includes regular scans by ASVs and increases based on the size of your computer network and the number of IP addresses.

It also includes the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Level 2 will cost you $10,000 or more and includes scans by ASVs and increase based on the size of your computer network and the number of IP addresses.

It also includes the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Finally, level 1 can cost $50,000 a year or more and includes a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.

 

PCI SSC Resources for Business Owners

To learn more about building a solid data security foundation for your business, check out these resources on the PCI Security Standards Council's website.

Data Security Essentials Evaluation Tool

Self-Assessment Questionnaire

Frequently Asked Questions

We wish you luck on your quest for data security!

If you'd like to partner with a payment processor to help you maintain PCI compliance while simultaneously streamlining operations and improving the customer experience, contact us using the button below!


Contact Us Today

 

Source: PCI SSC

angle graphic