All businesses, especially growing ones, are concerned about the safety and security of their customers’ sensitive information and data. This is even more important when it comes to financial transaction data. Fortunately, the PCI DSS standard has been put in place to reduce breaches of this data at the corporate, banking and consumer level.
What is PCI DSS certification ? Who is behind it ? Who is it for ? What are the benefits ? How do you comply with it ? What are the consequences of non-compliance ? Find out everything you need to know about the PCI DSS standard in this guide.
What is the PCI DSS standard ?
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards established in 2004 by the major credit card companies Visa, MasterCard, Discover Financial Services, JCB International and American Express.
It applies to any organization (from start-ups to multinationals) that accepts, processes, transmits or stores sensitive credit card information or authentication data, including merchants, banks, payment processors and service providers.
Governed by the PCI Security Standards Council, this compliance scheme is designed to secure credit and debit card transactions against data theft and fraud. This Council has no legal authority to compel organizations to comply with the PCI DSS. However, it is a requirement for any business that processes credit or debit card transactions.
PCI certification is considered the best way to protect sensitive data and information, helping businesses build long-lasting, trusted relationships with their customers.
The 12 requirements for PCI DSS compliance
The requirements of the PCI DSS are both operational and technical. The main objective of these rules is to protect cardholder data. There are 12 of them, here is a summary of the PCI compliance requirements:
1- Install and maintain a firewall configuration to protect cardholder data
2- Avoid using vendor default settings for system passwords and other security settings
3- Protect stored cardholder data
4- Encrypt the transmission of cardholder data over open public networks
5- Protect all systems from malware and regularly update antivirus software or programs
6- Develop and maintain secure systems and applications
7- Restrict access to cardholder data to appropriate individuals
8- Assign a unique identifier to each person who has access to a computer in the facility
9- Restrict physical access to cardholder data
10- Track and control all access to network resources and cardholder data
11- Regularly test security systems and processes
12- Define a policy that addresses information security for employees and contractors.
What are the PCI DSS compliance levels ?
PCI compliance is divided into four levels, depending on the annual number of credit or debit card transactions a company processes. The steps a company must take to remain compliant with the standard are based on its classification level.
Level 1: Level 1 is for merchants that process more than six million actual credit or debit card transactions each year. They are required to undergo an internal audit once a year. This audit is performed by an approved PCI auditor.
Level 2: Level 2 is for merchants who process between one and six million actual credit or debit card transactions per year. They are required to complete a self-assessment questionnaire provided by the PCI Security Standards Council once a year. In addition, a quarterly PCI audit may be required.
Level 3: Level 3 is for merchants who process between 20,000 and one million credit or debit card transactions annually. They must complete an annual assessment using a self-assessment questionnaire. A quarterly PCI audit may also be required.
Level 4: Level 4 applies to merchants who process fewer than 20,000 e-commerce transactions per year. An annual assessment using the self-assessment questionnaire must be completed and a quarterly PCI audit may be required.
What are the benefits of PCI DSS compliance ?
Looking at the process involved, complying with PCI security standards seems like a daunting task. The process seems like a maze for small businesses, and even for large organizations. Yet, compliance is becoming increasingly important in today’s digital age and the explosion of e-commerce.
PCI DSS compliance has major benefits, especially since failure to comply can have serious and long-term consequences. In practical terms, PCI compliance means that your systems are secure and that your customers can trust you with their sensitive payment card information. This trust leads to customer loyalty.
PCI compliance enhances your reputation with buyers and with payment processors. It is an ongoing process that helps prevent security breaches and payment card data theft at any time.
When you take steps to meet PCI compliance, you are better prepared to comply with additional regulations. It also contributes to your company’s security strategies. And it likely helps improve the efficiency of your IT infrastructure.
What are the consequences of not being PCI compliant ?
Organizations found to be non-compliant with PCI DSS requirements face fines of up to $500,000 and increased transaction fees. Worse yet, their relationship with their bank may definitely suffer.
They could also find themselves on the high-risk merchant list, which means they would never be allowed to process card payments again. Other possible consequences of PCI non-compliance are :
- Increased PCI DSS compliance
- Reputation damage
- Questioning your ability to run your business effectively
- Stock price deterioration for publicly traded companies
Insurance claims and government fines are other consequences of PCI non-compliance. So whatever your organization, you might as well do what is necessary to avoid all of these direct and indirect penalties and damages.