If your company accepts credit card payments, you should be familiar with PCI DSS compliance. You may also think that your company is so small or so few of your financial transactions involve credit cards that you don’t have to worry about PCI compliance. That’s an incorrect assumption. Any business that accepts credit cards is required to follow PCI compliance standards. They are designed to protect the data shared by your customers, but PCI compliance also protects your business in the event of a data breach. With the increased focus on data privacy and the new privacy regulations coming on board, you’ll likely find that PCI compliance plays a large role in your overall cybersecurity.
The Basics of PCI
PCI DSS stands for Payment Card Industry Data Security Standard. It first went into effect in 2006 with the goal to ensure that credit card data is secured the same way throughout the industry. The major credit card companies – Visa, Mastercard, Discover and American Express – set up the PCI Security Standards Council to manage and administer PCI DSS.
While every company that relies on credit card transactions needs to be PCI compliant, there are different merchant levels depending on a year’s transaction volume, which are determined by the individual credit card company. In general, these levels are:
Level 1: More than 6 million transactions per year.
Level 2: Between 1 million and 6 million transactions per year.
Level 3: 20,000 to 1 million transactions per year.
Level 4: Fewer than 20,000 transactions per year.
The levels help to determine a risk assessment and security validation for individual businesses, and in turn, that determines the requirements to pass the PCI DSS assessment. For smaller businesses, there is a self-assessment questionnaire to submit. You may also need to pass a vulnerability scan, which is conducted by a PCI SSC Approved Scanning Vendor.
There are also 12 security goals that must be met. These goals are:
- Having a firewall configuration to protect the card holder’s data.
- Do not use vendor-created or default passwords.
- Provide multiple layers of security defenses to protect stored data.
- Encrypt all data transmissions.
- Use and update anti-virus software.
- Use secure systems and applications. Including training your developers on Secure Coding.
- Limit access to credit card data to only those employees who need it.
- Anyone with access to the computer with the data should have a unique ID.
- Restrict physical access to the data.
- Monitor all access to network resources and card data.
- Regular testing of security systems.
- Create and maintain a security policy.
These are just the first steps to becoming PCI compliant. While they seem daunting – meeting PCI standards can be a time consuming and sometimes discouraging task – not meeting PCI compliance can be devastating to your organization. Not only will you required to pay hundreds of thousands of dollars in fines, you could see transaction rates increase and it could damage your ability to do business with banks. It also can make your company more vulnerable to cyberattacks and data breaches, which, if you must also meet GDPR and other privacy compliance requirements, could result in more fines and fees.
PCI compliance is a start to securing your organization and protecting credit card data.