Whether you’re a software company developing cutting-edge solutions or a merchant handling customer transactions, safeguarding sensitive credit card information is critical. The Payment Card Industry Data Security Standard (PCI DSS) is the cornerstone of protecting payment data, serving as a comprehensive set of security standards applicable to businesses of all sizes. Compliance with the PCI DSS is mandatory for any organization that handles debit and credit card information. Let’s start with an overview of the PCI DSS and the steps to take to achieve and maintain full compliance.
Why you need payment security standards
Before transactions and information sharing moved online, companies would store their files physically in filing cabinets. To keep these files secure, they would be stored under lock and key, and only certain people could access certain files. Other physical paper trails included a log of who accessed the files and when, and who may have a file checked out for use.
Now, with information online, it can be more difficult to protect sensitive information and know exactly who has access to it. Even if you have security protocols in place, along with systems from third-party vendors, it doesn’t mean cardholder data is automatically protected. In short, there are more risks and attack vectors when information is stored online, so you need to take steps to ensure you protect sensitive data and fully comply with the PCI DSS.
Do I need to comply with the PCI DSS?
If your company accepts debit or credit card payments, you must comply with the PCI DSS. Your specific compliance requirements will depend on your company’s annual transaction volume. While each of the five payment card brands have their own compliance requirements, they are generally split across four levels:
- Level 1: Merchants that process over 6 million card transactions annually
- Level 2: Merchants that process 1 to 6 million transactions annually
- Level 3: Merchants that process 20,000 to 1 million transactions annually
- Level 4: Merchants that process fewer than 20,000 transactions annually
What are the penalties for non-compliance?
The penalties for PCI non-compliance are steep. Not only can a breach damage your company’s reputation, but there are financial consequences too, with the acquiring banks and the General Data Protection Regulation (GDPR) imposing penalties. Fines issued by the acquiring banks can range from $5,000 to $100,000 per month for every month of non-compliance. Further, fines of up to $500,000 can be issued for each security breach. In the event of a breach, the company is also required to contact every customer whose details were compromised, adding to the administrative burden and costs of non-compliance. Under the GDPR, administrative fines of up to EUR20 million or 4 percent of annual global turnover (whichever is greater) can apply.
How to become PCI DSS compliant
To ensure your company is PCI compliant, the first thing you need to do is determine your compliance level and whether you need to submit a self-assessment questionnaire (SAQ), and, if so, which one. You may also need to complete and Report on Compliance (RoC). There are several SAQ types with differing requirements based on your merchant level. The more detailed SAQs require internal and external vulnerability scans and regular penetration testing. An SAQ can be completed internally.
In contrast, an RoC must be completed externally by a PCI Qualified Security Assessor (QSA). Once the requirements are satisfied, the QSA will issue a formal report to the PCI Security Standards Council. This report will attest that your company fully complies with the PCI DSS requirements.
If you’re unsure where to start with the PCI DSS, a gap analysis can help you determine your company’s current compliance levels and what must be done to fully comply. Your PCI DSS gap analysis should include a detailed review of all compliance activities. These activities include on-site interviews with key staff, assessment of in-scope system components and configurations, a physical and logical data flow analysis and identification and analysis of out-of-scope components.
What are the 12 PCI DSS compliance requirements?
There are 12 requirements under the PCI DSS. These are organized into six control objectives as outlined below.
Control objective | Requirement/s |
Build and maintain a secure network | Install and maintain firewalls to protect cardholder data Don’t use vendor-supplied defaults for system passwords and other security parameters |
Protect cardholder data | Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks |
Maintain a vulnerability management program | Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications |
Implement strong access control measures | Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data |
Regularly monitor and test networks | Track and monitor all access to network resources and cardholder data Regularly test security systems and processes |
Maintain an information security policy | Maintain a policy that addresses information security for employees and contractors |
Ensure PCI DSS compliance with Payrix
Protecting cardholder data is a critical component of maintaining strong information security systems in your company. And it doesn’t matter what size your organization is as any company that accepts debit or credit card payments must comply with the PCI DSS. A full-service payments partner will help you determine your level of compliance and ensure you establish and maintain the required infrastructure to achieve full PCI compliance now and into the future.
Learn more about PCI compliance, particularly understanding how to complete and submit a PCI Attestation of Compliance (AoC).