What every business needs to know about PCI compliance

For any business accepting, processing, storing, or transmitting credit card information, PCI DSS compliance should be at the top of its must-do list. The Payment Card Industry Data Security Standard is a set of rules established to create a secure environment within all companies that accept credit card payments. The standard was launched in 2006 by the Payment Card Industry Security Standards Council, an independent group set up by the major payment card companies — Visa, MasterCard, American Express, Discover, and JCB. The council manages and administers PCI DSS, but the card companies enforce compliance. Adherence to the PCI DSS standard was optional at first, but has become mandatory for any company accepting payment cards. Any merchant wishing to take payment cards must attest they are PCI compliant, or risk both penalties and fines. The standard has gone through several updates and is now on version 3.2.1. Compliance can be extraordinarily effective in protecting cardholder data and preventing data breaches. "Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization," Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a statement about his company's 2019 Payment Security Report.

Top things to know about PCI compliance

For PCI DSS compliance purposes, the size of a business doesn't matter. Any enterprise that accepts, transmits, or stores the data of cardholders must comply with PCI requirements, even if you use an external provider and don’t store cardholder data in-house. However, organizations that process 100% via third parties are eligible to use a much shorter compliance checklist (see below). Although all businesses must comply with PCI DSS regardless of size, size does play a role in how businesses are classified for compliance purposes. There are four such merchant levels of PCI compliance based on transaction volumes over a 12-month period:

  • level 1:

    Applies to merchants performing more than 6 million payment card transactions annually. As part of their PCI DSS compliance requirements, merchants in this category must undergo an audit by an authorized PCI auditor once a year and be scanned by an Approved Scanning Vendor once a quarter. Such scans are non-intrusive and can remotely check for vulnerabilities in operating systems, services, and devices that could be used by intruders to compromise a merchant's internal network.

  • level 2:

    Applies to merchants performing from 1 to 6 million payment transactions annually. They must perform an annual assessment using a  Self-Assessment Questionnaire (SAQ). The questionnaire is a series of yes and no questions used to determine a company's level of PCI DSS compliance and can be completed by any officer of the company. A PCI scan may also be required.

  • level 3:

    Applies to merchants performing from 20,000 to 1 million payment card transactions per year. They need to file an SAQ annually, and they may also be required to submit to a quarterly PCI scan.

  • level 4:

    Applies to merchants with fewer than 20,000 e-commerce transactions annually. They need to file an SAQ annually and may be required to submit to a quarterly PCI scan.

Any merchant, regardless of how many payment card transactions they process, may be moved to a higher level if they suffer a data breach. In addition to the levels, there are also nine SAQs, which are used to document an organization's compliance with PCI DSS. Their lengths vary from 22 to 329 questions. Which SAQ is right for a business depends on how it processes payment cards and cardholder information. For example, "card-not-present" merchants would probably fill out SAQ A, while merchants using approved point-to-point encryption devices, with no electronic card data storage would fill out an SAQ P2PE.

PCI DSS security controls

To be PCI DSS compliant, businesses must meet 12 security controls. They require entities handling credit card data to do these things:

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security.

In some cases, compensating controls can be substituted for PCI controls, but they must be approved by a PCI Qualified Security Assessor.

Fines and penalties for PCI DSS non-compliance

If cardholder data is compromised in a data breach, a business can be subjected to $50 to $90 per cardholder in fines. Worse, though, the business's relationship with its payment processor and the bank may be terminated. Small businesses can expect to pay around $300 a year to maintain their PCI compliance, while larger enterprises can pay $70,000 or more to maintain their compliance. Fines and costs, though, shouldn't be a business's prime motivators for PCI DSS compliance. The price tag for non-compliance can be much higher. With the global average of a data breach pegged at $3.9 million, it's more important than ever for PCI DSS compliance to become a top priority for any business dealing with payment card data. PCI DSS is a relevant concern for most industries. To find out what your company needs to do to comply with this essential payment processing regulation, check out our PCI compliance checklist.