PCI compliance is a set of requirements designed to ensure that ALL companies that process credit and debit card transactions and hold cardholder data (even encrypted or tokenized) must be validated as being compliant with the Payment Card Industry Data Security Standard (PCI DSS).
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes. The standard was created to increase controls around personal data and reduce fraud.
How difficult is it to become PCI Compliant?
To be compliant you will need to meet ALL of the requirements and if you don’t meet them all, you will need to show “Acceptable Progress” towards doing so. The process of becoming compliant can be extremely expensive (hundreds of thousands of dollars) and the price tag is only likely to increase with time.
What are the requirements?
There are 12 requirements in total; 7 general controls, 4 network specific controls and 1 system specific control. A list of some of the controls can be found on the PCI website here.
What are the fines for non-compliance?
There is no set fine for non-compliance; however, if you process or store cardholder data (credit, debit or any other kind) then you are required to validate compliance. If you are compliant with the PCI DSS but validate your compliance in a way that is deemed incorrect or misleading, then there can be fines of up to $100,000 per month, per instance.
Why do I need to become PCI Compliant?
The requirements for PCI DSS Compliance were created by VISA and MasterCard in order to protect cardholders from being defrauded. The PCI DSS requirements were developed as a way for companies that offer credit and debit card processing services to validate their compliance with the security standards required by these major card brands.
What happens if I do not meet the requirements?
You may have chosen a payment processor or merchant account because they said they were PCI Compliant. If you are processing credit card transactions, then you should expect your acquirer or payment processor to hold you accountable to this standard! You will also find it difficult to find a new provider if you are not compliant with the PCI DSS!
Are there any third party audits I can use? – There are many companies offering services and technology to enable you to validate your compliance, however, the PCI Council only recommends 3rd party audits. Those recommended by the PCI Council can be found here.
Can I become compliant before I need to?
It is possible; however, remember that it can be expensive and time consuming (weeks or months). If you can’t do it all at once then try and show “Acceptable Progress” each year.
What if I am processing less than 20,000 transactions per year?
You are still required to become compliant; however, the requirements will be somewhat different (and probably easier). Contact your acquirer for further information.
Does this apply to me if I only accept online payments?
If you are processing ANY card transactions (including eChecks) then yes, it does. This also means that if you store or transmit card holder data then this applies to you even if the transaction did not originally take place in your business!
If I become compliant, will I be immune from cyber attacks?
No; the PCI DSS was not designed to protect you from any specific threat or vulnerability. The point of compliance is to reduce a business’ risk profile and thus, lower the probability that a criminal attack could succeed in stealing your data.
Is it worth it?
For most merchant accounts, it should be part of their compliance process to validate the security standards they are required to meet. As processing volumes increase so does the chance of an attack, so it is worth spending time and money becoming compliant. Just remember, if you do not become compliant then don’t be surprised if your acquirer drops you for this reason alone!