Being PCI compliant means that your business has taken the necessary first steps towards protecting your customer’s valuable, personal data. Security is the number one concern of most customers as they hand over their credit cards to complete a purchase, and they have every right to be afraid. Credit card fraud is a big business that has seen tremendous growth in the last decade or so. It seems that no business is immune as every few weeks, there is a massive data breach that makes headlines. Some newsworthy data breaches in the last year alone include Adobe, eBay, Equifax, NASA, and even the payroll giant, ADP.
Just this month, April 2021, the personal data of 533 million Facebook users, including names, phone numbers, locations, bios, and email addresses, was posted online in a free, relatively obscure hacking forum. In the same week, over 500 million user profiles from LinkedIn were posted for sale on the Dark Web. Those profiles included names, phone numbers, email addresses, and other work-related data. Two weeks later, Geico filed a report that hackers had accessed an undisclosed number of customer driver’s licenses, including names, addresses, birthdates, and other personal data from the affected customers.
The costs to patch and repair breaches are high, often in the millions of dollars. Even worse, the cost of winning back the trust of those affected is incalculable. Nearly a third of those customers involved in a data breach will leave with no intention to return.
By ensuring that your business is PCI compliant, you create multiple layers of protection for your customers, their data, and your brand’s reputation. Let’s review what it means to become and remain PCI compliant.
What is PCI Compliance?
PCI DDS is the acronym for Payment Card Industry, Data Security Standard (PCI DSS). The PCI DSS, most commonly referred to as PCI, is a set of security standards put in place in 2004 to ensure that companies process and securely transmit customer payment information. Visa, Discover, Mastercard, American Express, and JCB jointly created the PCI Security Standards Council (PCI SSC) to oversee the development and implementation of PCI security standards to ensure that organizations are taking the proper precautions to safeguard customers data. The PCI SSC does not enforce PCI compliance; it merely develops and maintains the standards. The credit card companies themselves handle enforcement.
It may seem easy to adhere to a list of security requirements, but it takes time, is ongoing, and can become overwhelming. Here are the 12 requirements of PCI DSS:
- Protect cardholder data with firewalls
- Reconfigure vendor-supplied defaults for system passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by personnel
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
PCI Compliance Levels
There are four PCI compliance levels, each based on how many credit card transactions a business processes in a single year using Visa, Mastercard, and Discover. Other credit card companies, such as American Express, have their own transaction minimum requirements.
- Level 1: The highest level of PCI compliance required by businesses that process over 6 million transactions.
- Level 2: Businesses that process 1 to 6 million transactions.
- Level 3: Businesses that process 20,000 to 1 million transactions.
- Level 4: Businesses that process less than 20,000 transactions.
How do I Get Started?
- Determine what your PCI compliance level is using the list above.
- Complete a self-assessment questionnaire here on the PCI Security Standards Council website, where you will find various options tailored to how your business handles credit card data. For example, suppose you only accept card payments online via a third party. In that case, you’d fill out Questionnaire A. If you use a terminal connected to the internet, you will fill out Questionnaire B-IP.
- Build a secure network. The answers you provide on your questionnaire will reveal any weaknesses in your credit card infrastructure and processes and will give you steps to resolve any issues. This could also include implementing a remote monitoring and management solution which provides the levels of security needed to stay on the right side of payment card industry regulations. Such tools can also be impactful when outsourcing aspects of infrastructural management to third parties, depending on what works best for your operation.
- Attest your compliance. An AOC (Attestation Of Compliance) is the form you use to report that you’ve achieved PCI DSS compliance. You must earn 100% on your questionnaire to proceed.
Who is Responsible for PCI Compliance?
The short answer is you are. You’ll make decisions about how you’ll manage your PCI compliance based on your business’s size and organizational structure. A level 4 brand will probably have a small in-house army to ensure that every precaution is taken to safeguard customer data. Smaller volume businesses typically outsource their payment processing to PCI-certified third-party merchant services that ensure compliance. Add a PCI-approved scanning vendor as an additional layer of protection, and you’ll virtually eliminate the risk of a data breach. You still need to carefully manage the employees or vendors that you contract. Do your research, ask questions, and train your employees to safely handle one of your customer’s most valuable assets.
Fees for Compliance
Merchant services providers are notorious for charging additional fees for certain services without disclosing them during the sales process. A favorite is the PCI compliance fee. What exactly is the merchant doing to keep your business PCI compliant? If their services add value, then why are they buried in the fine print of the contract? Don’t pay for anything until you understand what you’re getting.
Fees for Non-Compliance
What happens if my business is not compliant? Non-compliance can lead to compromised data, legal action, loss of customer trust, loss of revenue, and hefty fines from the credit card companies, ranging from $5000 to $100,00! And these penalties add up! The longer you are not in compliance, the steeper the fines get.
Payline Fees for Compliance
More reputable merchants like Payline data don’t charge a PCI compliance fee. Fraud protection is built into our service package.
For more payments news and industry insights throughout the week, follow us on Facebook, Twitter, or LinkedIn.