Understanding PCI Compliance

Understanding PCI compliance is essential for any business that accepts card payments, but what is PCI Compliance? 

PCI DSS (Payment Card Industry Data Security Standard) is a set of standards established by the PCI Security Standards Council with the aim of protecting credit card data and reducing the risk of fraud. Any business that accepts card payments must comply with the guidelines and requirements set, which means handling and maintaining cardholder’s information including card details in a way that keeps them secure.

What is PCI DSS compliance?

The PCI DSS standards were developed as a minimum standard to protect cardholder data from misuse and fraud. These standards were established by the Payment Card Industry Security Standards Council (PCI SSC), made up of American Express, Discover Financial Services, JCB International, MasterCard and Visa. 

 The level of compliance required for PCI DSS is determined by the number of transactions processed by the organization annually. The standard enforces controls dealing with the storage, transmission and processing of cardholder data through its 12 requirements.

What are the 12 Requirements of PCI Compliance?

Building and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Different Roles in PCI Compliance

Achieving PCI DSS compliance depends on what role your organization plays in the payment process and the volume of transactions you process annually.

• Business Owners: Business owners must meet the requirements of their merchant account provider.
• Merchant Account Providers: Need to follow guidelines established by card networks. They also need to set requirements for businesses that hold merchant accounts.
• PCI Security Standards Council (PCI SSC): They set up broad security standards, they certify vendors, test and certify payment technology, and establish standards for payment gateway pci certification.
• Credit Card Networks (i.e. Visa and Mastercard): These networks founded the PCI Security Standards Council. Each develops its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.

Why and How to Become PCI Compliant

Merchants processing customer and payment data must put security first. Not only will you be subject to fines if your data is stolen or misused, but your sales and your reputation could also end up permanently damaged.  Ensuring credit card pci compliance means following guidelines and best practices to ensure transaction and personal data is properly handled and proactive measures to address risks to cardholder data.

Understanding the Different Levels of PCI Compliance Requirements

The PCI council created PCI Self-Assessment Questionnaires to validate your compliance. There are four different levels of PCI compliance. Which level of compliance your organization must meet is based primarily on the volume of credit card transactions you process in a 12 month period.

Level 1

Organizations that process more than 6 million transactions via Visa or MasterCard, or more than 2.5 million for American Express. OR have experienced a data breach. OR are deemed Level 1 by a card association, such as Visa, MasterCard or Amex.

Level 1 PCI DSS Requirements:

• Annual Report on Compliance by a Qualified Security Assessor (Also known as an onsite assessment or QSA )
• Quarterly network scan by Approved Scan Vendor (ASV)
• Attestation of Compliance for Onsite Assessments (AOC)

Level 2

Organizations that process between 1 to 6 million transactions annually.

Level 2 PCI DSS Requirements:

• Annual PCI DSS Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by Approved Scan Vendor (ASV)
• Attestation of Compliance for Onsite Assessments (AOC)

Level 3

Organizations that process between 20,000 to 1 million online transactions annually. OR organizations that process less than 1 million total transactions annually.

Level 3 PCI DSS Requirements:

• Annual PCI DSS Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by Approved Scan Vendor (ASV)
• Attestation of Compliance for Onsite Assessments (AOC)

Level 4

Organizations that process fewer than 20,000 online transactions annually. OR Organizations that process 1 million or fewer total transactions annually.

Level 4 PCI DSS Requirements:

• Annual PCI DSS Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by Approved Scan Vendor (ASV)
• Attestation of Compliance for Onsite Assessments (AOC)

Page 18 of the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire will help you choose the right SAQ and AOC for your organization.

How is PCI Compliance Enforced?

While companies are not legally required to be PCI DSS compliant, the Security Standards Council (PCI SSC) can impose penalties for noncompliance. The five founding payment card brands of American Express, Discover Financial Services, JCB International, MasterCard and Visa of the PCI SSC enforce PCI compliance. 

Every card company has their own unique requirements, deadlines, guidelines,  definitions and penalties for noncompliance. Businesses who are non-compliant can face an escalating series of penalties, ranging from fees to even account suspension for PCI non-compliance.

• Fees: PCI non-compliance fees typically appear on processing statements as $10-$100 per month. The individual card processors who validate compliance, meaning each card processor chooses whether to charge a PCI non-compliance fee, and if so, how much the fee is.
• Increasing Penalties: Depending on the type of business and the severity of noncompliance, processors may increase penalties. This can take the form of increased transaction fees.
• Account Suspension: If noncompliance is severe and persistent, your business could lose the right to accept payment cards or have your account suspended altogether.

How Expensive is PCI-DSS?

The cost of PCI compliance alone depends on factors like the business type, size, and the number of employees involved in processing data. The transaction volume, location, and physical hardware configuration can also be factors. Businesses without an in-house specialist knowledge to manage compliance may also need to budget for external consultants. For this reason, businesses should consider working with an international payment processor that already provides embedded data protection and security features.

What If I’m Not PCI Compliant?

Noncompliance is a strong indicator that your business is at risk of a data breach. Not only can the PCI SCC impose fines on businesses found to be non-compliant, but non-compliant businesses can also face significant consequences. These can include costly fines and penalties in addition to significant reputational damage. 

If cardholder data becomes compromised and account numbers have been fraudulently used, there can be additional costs. Your business could even lose the right to accept payment cards or have your account suspended. For these reasons, achieving PCI compliance is critical for all businesses.

PCI Compliance is Just the Beginning

Payment processors play an important role in helping merchants to manage and maintain compliance.  That’s why in addition to taking a proactive role as a business to understand your obligations and compliance requirements, it’s equally critical to choose the right payment processor. 

Rapyd has PCI DSS compliance covered, simplifying the process and removing the hassle for merchants. All of Rapyd’s products also include Rapyd Protect, which offers protection against fraud. Take advantage of a world-class anti-fraud platform with no additional cost, no fees and no coding background needed.