If you’re looking to scale up your business, now has never been a better time to do it. With a range of online payment systems, virtual terminals and integrative eCommerce platforms to choose from, selling online and overseas has never been easier.
But as boundaries to trade are broken down, new rules and regulations are devised to ensure both businesses and customers stay safe and protected. That’s where PCI DSS Compliance comes in.
We’re going to break down everything you need to know about PCI DSS Compliance, including its definition, the different levels, the consequences of non-compliance, how to be compliant, and how much it costs to be compliant.
What is PCI Compliance?
PCI DSS, or the Payment Card Industry Data Security Standard, is a set of requirements that aim to limit the cost to the consumer, businesses and financial institutions by reducing the number of data breaches. It sets the bar for organisations to safely and securely accept, store and process cardholder data used in credit card transactions to prevent fraud and cut data breaches.
PCI DSS goes all the way back to December 2004. Up against a rising tide of credit card fraud, industry leading credit card companies (namely American Express, Discover Financial Services, JCB International, Mastercard and Visa) convened to develop a common security standard.
In 2006 they established the PCI Security Standards Council (PCI SSC) to oversee the continued development of the standards. But PCI Compliance has come on leaps and bounds since 2004. It now stipulates firewall and antivirus software requirements, secure authentication methods and has a greater focus on the shared responsibility between third parties when handling sensitive information.
Levels of PCI Compliance
Just as there are different sizes of businesses with varying degrees of risk, so too are there different levels of PCI compliance that apply. The level of PCI Compliance required by a merchant depends on the number of transactions they process each year:
- Level 1: Over 6 million transactions annually.
- Level 2: 1 to 6 million transactions annually.
- Level 3: 20,000 to 1 million transactions annually.
- Level 4: Fewer than 20,000 transactions annually.
Is PCI Compliance mandatory?
There are no “if”s and no “but”s - PCI Compliance is obligatory. Failure to comply can have serious consequences for both your business and the customer.
What happens if you are not PCI compliant?
If you are non-compliant, you stand a much greater risk of catastrophic data breaches, putting your customer’s credit card data at risk.
Card brands will also administer fines to acquirers who process payments for any merchants involved in a data breach that have failed to comply with PCI DSS requirements. The fine is then passed to the merchant, along with other costs for replacement cards and increased card processing fees.
Fines may range from £3,000 to £60,000 depending on your agreement with the acquiring bank. You may also face an on-site forensic audit and be forced to move up to a higher, and therefore more expensive, compliance level.
What is needed for PCI compliance?
The latest set of security standards, PCI DSS 3.2.1, features 12 main requirements, loosely grouped under 6 main goals, with over 300 security controls that must be met in order to be considered PCI DSS Compliant:
Goal 1: Build and Maintain a Secure Network and Systems
- Set up and maintain a firewall configuration to protect cardholder data.
- Ensure that you change all vendor supplied system passwords and revise other default security parameters.
Goal 2: Protect Cardholder Data
- Protect all stored cardholder data by masking primary account numbers on receipts and limiting access to things like cryptographic keys and hard copies of data.
- Ensure that transmission of cardholder data is encrypted across all open and public networks.
Goal 3: Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software to ensure that data remains secured against the latest threats.
- Develop secure systems and applications and ensure that these are maintained and updated regularly.
Goal 4: Implement Strong Access Control Measures
- Only permit access to cardholder data where necessary - i.e. allow access to sensitive data on a “need to know” basis
- Use unique IDs to authenticate access to system components to reduce risk and improve traceability.
- Restrict physical access to removable devices or hardcopies that store cardholder data.
Goal 5: Regularly Monitor and Test Networks
- Log and monitor access to all network resources and cardholder data to facilitate forensic investigation.
- Regularly test security systems with vulnerability scans and penetration testing and update systems and processes accordingly.
Goal 6: Maintain an Information Security Policy
- Maintain a policy for employees and contractors that addresses information security.
As a business, you must follow several steps to renew and re-verify your PCI DSS Compliance. They vary depending on the level of your business:
Level 1
Annually:
- File a Report on Compliance (ROC) by a Qualified Security Assessor (“QSA”)” or Internal Auditor. If using an Internal Auditor, they should have obtained the PCI SSC Internal Security Assessor (ISA) certification.
- Submit an Attestation of Compliance (AOC) Form.
Quarterly:
- Use an Approved Scanning Vendor (ASV) to conduct a quarterly network scan.
Levels 2, 3 and 4
Annually:
- Complete the relevant Self-Assessment Questionnaire (SAQ).
- Submit an Attestation of Compliance (AOC) Form.
Quarterly:
- Use an Approved Scanning Vendor (ASV) to conduct a quarterly network scan.
What is the cost of PCI DSS Compliance?
PCI Compliance does come at a cost, but it is significantly cheaper than non-compliance. If you’re a level 1 merchant, expect a full audit to cost as much as £50,000 each year. Don’t worry though - costs are generally much lower than this if you’re a level 3 or 4 merchant.
If you experience a security breach and you are not PCI compliant, you can expect fines of up to £79 per record. Even if you’re a small business that’s only processed a few hundred transactions, that can soon add up to a crippling fine.
If you’re a savvy shopper and don’t want the extra headache of having to manually ensure you meet PCI compliance standards, you may want to outsource all of your payment processing to a PCI DSS validated third party merchant services provider. Any additional costs you would have incurred will be included in your monthly fees.
Conclusion
Whether you take credit or debit card payments at an in-store Point of Sale with a PDQ Machine, through a virtual terminal or using an online payment gateway - you need to be PCI DSS compliant.
Things like contactless cards and ‘one-click’ checkout have meant that the customer experience is now more streamlined than ever before - and that’s great for conversions. But as services become ever-more connected, data protection is crucial. Without PCI DSS Compliance, not only do you stand to lose money, but your reputation as a business could be tarnished beyond repair.
Thankfully, many payment processing providers, payment gateways and eCommerce platforms now make it incredibly easy to become PCI Compliant with an inclusive monthly fee. You can find out more about this in our “what is a virtual terminal” and “what is a payment gateway” posts.
To make savings of up to 40% on your next card payment solution, check out our card processing fees comparison tool!