The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.
PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:
In addition, businesses must restrict access to cardholder data and monitor access to network resources.
PCI-compliant security provides a valuable asset that informs customers that your business is safe to transact with. Conversely, the cost of noncompliance, both in monetary and reputational terms, should be enough to convince any business owner to take data security seriously.
A data breach that reveals sensitive customer information is likely to have severe repercussions on an enterprise. A breach may result in fines from payment card issuers, lawsuits, diminished sales and a severely damaged reputation.
After experiencing a breach, a business may have to cease accepting credit card transactions, or be forced to pay higher subsequent charges than the initial cost of security compliance. The investment in PCI security procedures goes a long way toward ensuring that other aspects of your commerce are safe from malicious online actors.
PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business processes. The classification level determines what an enterprise needs to do to remain compliant.
Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
Below is a list of the benefits to a business when they implement PCI DSS:
Decreased risk of security breaches
PCI compliance isn’t just about satisfying a list of guidelines — it’s a very real and proven way to protect you and your customers data from outside attacks. In fact, a recent Version study found that compliant businesses are 50% more likely to successfully withstand a breach.
With breaches much less likely to happen, you’ll have one less thing to worry about in the daily course of running your business. You’ll appreciate this peace of mind, and over time, your customers will, too (see the next benefit below).
Your customers may not currently understand every detail about what it means to be compliant, but their awareness about the issue is growing. Every day, more and more of your customers are growing savvy about how their data is protected when they use their credit cards. It’s only a matter of time before customers see PCI compliance as a sign that your business follows best practices. That feeling of security will directly increase buyer's confidence, and make them more likely to choose you over a non-compliant competitor.
PCI compliance dramatically lowers your likelihood of getting breached, but it doesn’t completely eliminate the possibility. If you are breached, fines can grow as high as $500,000 per incident. Companies who are PCI compliant significantly reduce their risk of a breach, and therefore, their likelihood of receiving a fine. If a company is breached, regardless of their state of compliance, they must immediately inform customers and their processor of the data breach in writing. The processor or bank will initiate an audit on that company to see if the merchant was in fact PCI DSS compliant at the time of the breach.
This is one benefit that comes from what PCI compliance doesn’t do: with the right partner, you won’t have to make any substantial changes or disruptions to your business while attaining compliance. The process may seem complicated (and in many ways, it is), but a good compliance partner will shield you from the complexities and make it seem simple.
Being compliant with PCI DSS means that you are doing your very best to keep your customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. Not holding on to data reduces the risk that your customers will be affected by fraud.
The first thing a merchant needs to do is to fully understand how card payments are processed in your organisation. In particular if your e-commerce environment is capturing, storing, processing or transmitting card data then think very carefully whether this is really necessary?