There are so many abbreviations you need to know to run a business effectively — UX, AIDA, SaaS, KPI, KISS — but if your business takes credit card payments, there is one abbreviation you should focus on above all others: PCI DSS. The Payment Card Industry Data Security Standard ensures customers and merchants stay safe while performing credit transactions, but they only offer protections if you are compliant with their rules.
Unfortunately, PCI compliance is a labyrinthine field, and it’s unlikely you’ll be able to work through the puzzles on your own. Fortunately, this guide can take you step-by-step, ensuring you are fully compliant and can secure your clients and your business into the future.
History of the PCI DSS
Protecting consumers and merchants from theft might seem like an essential activity that should have always existed, but the PCI DSS was only just created in 2006. By this time, the internet was fully established as an invaluable resource and tool for businesses, and the as payment processes moved online — and consumers became more comfortable providing payment information at digital portals — theft became an increasingly common occurrence.
To combat the rising risks of digital payment, the five largest credit card brands — to include Visa, MasterCard, Discover, American Express, and JCB — joined to form the PCI Security Standards Council. Together, the brands instituted the PCI DSS to reduce consumer and bank data breaches. From then on, any merchant interested in accepting card payments were required to be PCI compliant.
What Is Compliance?
All sellers must maintain PCI compliance by adhering to a rigid set of rules. The details of these rules depend on PCI compliance levels, which are determined primarily by a merchant’s transaction volume. However, to make compliance even thornier, each of the five credit card brands boasts its own specific levels and requirements, which is why some sellers don’t accept certain cards.
For example, Visa mandates that sellers that process over six million transactions every year are placed into level one, and e-commerce-only sellers who process less than 20,000 transactions every year are placed into level four. In comparison, American Express has determined that 2.5 million annual transactions are enough for level one, and AmEx doesn’t have a level four. This complexity forces many merchants to rely on third-party PCI compliance service providers, who understand the shifting rules and can ensure complete compliance.
Regardless of level, most of the requirements for compliance fall under the umbrella of the following six goals:
- Build and maintain a secure network. This typically includes installing a firewall and creating strong, unique passwords.
- Maintain an information security policy. This should inform employees and customers of your security approach.
- Protect cardholder data. All stored and transmitted cardholder data should be encrypted and well-secured.
- Implement access control measures. Not everyone should have access to cardholder data and other sensitive payment information. Physical and digital access to data should be restricted.
- Maintain a vulnerability management program. This includes trustworthy anti-virus programs and a schedule for updating and patching software.
- Monitor and test networks regularly. This should identify potential weaknesses in your system and ensure thorough security.
Members of higher levels tend to be more scrutinized due to their greater liability, but members of lower levels are certainly not ignored — no merchant can avoid PCI compliance.
What Are the Consequences?
To prove that they are following the rules and taking the required actions, merchants must complete questionnaires and scans of various types throughout the year. Those that fail these tests — or otherwise do not live up to the PCI standard — are subject to severe consequences.
The PCI DSS is not a law, so merchants who fail to comply are not at risk for governmental fines or sanctions. However, credit card companies can impose heavy fines of their own, from $50,000 to $100,000 per month of non-compliance. Furthermore, non-compliant merchants risk data breaches, which can be even more financially devastating than fines. Setting aside the brand damage and loss of consumer confidence, sellers typically incur costs from fraud, reissuing new payment cards, forensic audits, legal battles, and lost jobs. It isn’t uncommon for small businesses to go bankrupt after a data breach — especially one that resulted from PCI non-compliance.
This year alone, businesses lost $7 million to data breaches. By maintaining PCI compliance, you can be as secure as possible and avoid contributing to that rising number.