The Payment Card Industry Data Security Standards (PCI DSS) are the rules established to ensure companies’ safe handling of credit card information. In this blog, we help you understand the ins and outs of PCI compliance.
It seems that every week you hear about yet another major data breach, with increasingly significant consequences. The average data breach in 2021 is costing businesses $4.24 million USD—the highest total cost ever, up from $3.86 million USD in 2020—according to IBM.
As these incidents become increasingly commonplace, it’s important for organizations—particularly merchants that engage in commerce online or interact with sensitive payment information—to not get complacent when it comes to their security measures. Finance teams especially have a part to play in keeping their customers’ data safe, as stewards of the company’s payment flows.
Data breaches take many shapes, with email addresses, geographic location data, Social Security numbers, medical records, and sensitive payment information—to name a few—often being exposed.
And, while it’s impossible to guarantee that your business will never fall victim to a breach, there’s a lot you can do to significantly minimize the likelihood of that happening.
Hackers tend to focus on certain types of data—particularly financial information like credit card numbers. Luckily, there are measures and governing bodies that work to make it increasingly difficult for hackers to succeed—and for you to be held responsible for the damages.
When it comes to handling customers’ credit card information, the Payment Card Industry Security Standards Council (PCI SSC) has established rules that businesses must follow to ensure basic protection for consumers and minimize chances of fraud or breaches occurring within the payment ecosystem.
In this blog, we’ll help you understand what it means to be PCI-compliant, how to become PCI-compliant, and the requirements your business must meet in order to maintain compliance (the PCI DSS).
Jump to a section:
What is PCI compliance?
PCI compliance refers to whether a merchant adheres to the technical and operational requirements established by the PCI SSC to ensure safe handling of cardholder data.
The PCI SSC was established in 2006 when five of the major credit card brands—Visa, Mastercard, American Express, Discover, and Japan Credit Bureau—came together to create global standards for how companies should manage credit card data. Prior to this, each of the card brands maintained their own separate sets of requirements.
The PCI Data Security Standards (PCI DSS)—the rules established to govern how businesses manage cardholder data to ensure secure payment processing—are updated every three years (the most recent version being the PCI DSS 3.2.1). Rather than the PCI SSC, it’s the card brands and acquiring banks who are responsible for enforcing PCI compliance.
The PCI DSS requirements focus on these core elements of merchants’ business:
1. How merchants obtain and handle credit card data:
To ensure the highest level of security, it’s best if customers’ payment information never touches your servers. Using a PCI-compliant third-party payment processing software that securely tokenizes customers’ payment information (meaning the data is turned into a random string of characters so that it can’t be viewed) is a great way to minimize your contact with sensitive data.
2. How merchants store credit card data:
The goal of the PCI DSS is to minimize the scope of the cardholder data environment. This means that all the people, processes, and technologies that store, process, or transmit credit card information have been pared down to only those most vital to facilitating transactions.
Here are some examples of what’s considered in-scope for PCI compliance:
- The card readers you use to accept in-person payments
- Your point-of-sale systems
- Any networks or wireless access routers used to transmit payment information
- Anywhere payment card data is stored or transmitted (includes paper-based records)
- Applications and software used to accept payments online
Because anything within the payment ecosystem that touches cardholder data must be validated as compliant with PCI guidelines, it’s in your best interest to limit which people, devices, and systems have access to sensitive cardholder or authentication information for the sheer benefit of making things easier on your team.
3. How merchants continuously monitor security controls:
PCI compliance is an ongoing effort, requiring businesses to give evidence that they’re meeting required security protocols on an annual basis. It’s important to understand that security is not a one and done process—systems need to be continuously monitored for potential vulnerabilities, and as cyber threats continue to evolve so should your defense methods.
What are the 4 levels of PCI compliance?
There are varying levels of PCI compliance requirements (with Level 1 being the most stringent and Levels 2 to 4 having fewer requirements) based on factors like the volume of credit card transactions your business processes annually. Here’s a breakdown of what each of these PCI levels mean
- This is the highest level of security requirements, intended for merchants that process over 6 million credit card transactions every year.
- Intended for merchants that process between 1 and 6 million credit card transactions every year.
- Intended for merchants that process between 20,000 and 1 million ecommerce transactions every year.
- Intended for merchants that process fewer than 20,000 ecommerce transactions or up to 1 million total transactions (regardless of the payment acceptance channel) every year.
If a merchant experiences a data breach that results in account data being compromised, they may be required to adhere to a higher level of security requirements, regardless of how many card transactions they process.
Merchants within Level 1 must be assessed by a third party to be deemed compliant (through what’s known as a Qualified Security Assessor), whereas merchants in Levels 2 to 4 can self-evaluate their compliance through a Self-Assessment Questionnaire (SAQ).
To validate that your business is PCI-compliant, you’ll need to fill out an SAQ every year. The specific SAQ form you complete will depend on the environment you accept credit cards in (face-to-face, ecommerce, or by mail or telephone—also known as “card-not-present”) and the method used to transmit the information (e.g., via the internet or not). For every payment environment you support, you’ll fill out a separate SAQ. The pass mark for PCI compliance is meeting 100% of the criteria outlined in your respective SAQ.
There are nine different SAQ forms:
1. SAQ A
You’ll fill out this form if you accept payments through card-not-present (ecommerce or mail telephone order), where you outsource all cardholder data functions to a secure third party and you don’t store, process, or transmit cardholder data on your systems or premises.
2. SAQ A-EP
You’ll fill out this form if you accept payments through ecommerce channels, where your website doesn’t directly receive cardholder data, you outsource all payment processing to a secure third party, and you don’t store, process, or transmit cardholder data on your systems or premises.
3. SAQ B
You’ll fill out this form if you accept payments through imprint machines and/or card reader terminals that transmit data through a phone line and don’t store cardholder data.
4. SAQ B-IP
You’ll fill out this form if you accept payments through an internet-based standalone card reader terminal (not connected to other devices on the network) that doesn’t store cardholder data.
5. SAQ C-VT
You’ll fill out this form if you accept payments by entering a single transaction at a time manually or through a secure virtual terminal solution and you don’t electronically store cardholder data.
6. SAQ C
You’ll fill out this form if you accept payments through a payment application system connected to the internet (does not include ecommerce) installed on a computer and any accompanying devices like card readers and you don’t electronically store cardholder data.
7. SAQ P2PE-HW
You’ll fill out this form if you accept payments through a hardware payment terminal included in a PCI-validated solution with point-to-point encryption (P2PE) that doesn’t store cardholder data.
8. SAQ D (for Merchants)
You’ll fill out this form if you accept payments through a method not listed in the descriptions above.
9. SAQ D (for Service Providers)
You’ll fill out this form if you’re a service provider eligible to complete an SAQ.
How do you become PCI compliant?
PCI compliance should be an ongoing effort year-round, beyond the annual certification. Even if your security measures passed an evaluation, if these are not continuously monitored they could be out of compliance by the time your business is the target of a breach.
The PCI SSC describes PCI compliance as an ongoing three-step process:
- Assess: Before your annual assessment, start by taking inventory of all your business’ IT systems and processes involved in handling card data or sensitive authentication data, looking for any potential vulnerabilities. You’ll want to document all the people, systems, and processes in scope for PCI compliance.
- Remediate: When you discover vulnerabilities, you’ll want to address them right away—don’t wait until it’s too late. Only store cardholder data if it’s absolutely necessary, and in that event, take essential steps to secure that data.
- Report: Diligently compile the required reports (either a Report on Compliance or a Self Assessment Questionnaire, depending on the nature of your business and how you accept and process card payments) and submit them to the appropriate acquiring banks and card brands.
What are the risks of not adhering to PCI Compliance requirements?
Although being PCI-compliant doesn’t guarantee immunity from security incidents, there’s a noticeable trend of organizations being non-compliant when experiencing a data breach.
From 2014 to 2019, Verizon’s annual Payment Security report found that on average, of the studied companies that experienced a breach, 0% were compliant with PCI DSS at the time of the breach and 53% were confirmed to be non-compliant.
The costs of falling victim to a data breach can be considerable. If a breach involving stolen credit card information is traced back to your business, then you’re on the hook for any fines and fees associated with it (such as covering the losses and card replacement costs).
Beyond opening your business up to the potential for data breaches and the accompanying financial losses (not to mention the cost of mitigation efforts and lost sales), failing to meet PCI compliance requirements can also mean:
- Losing customers’ trust (especially in the event of a security breach)
- Losing out on potential partnerships, as payment brands want to collaborate with companies that exemplify a commitment to security
- Damaging your brand’s reputation
- Negatively impacting buyers’ credit
While keeping your compliance status up to date requires ongoing effort and prioritization from your team, the resulting protections for your business and your customers are indisputable.
What are the 12 PCI DSS requirements?
The PCI Data Security Standards cover 12 requirements that must be followed by any business that accepts or processes credit card payments. The PCI SSC groups these requirements into six unique buckets:
Build and maintain a secure network
- Install and maintain firewalls to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across any open or public network
Maintain a vulnerability management program
- Use and regularly update anti-virus software or programs
- Develop, maintain, and update secure systems and applications
Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with system access
- Restrict physical access to cardholder data
Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an information security policy
- Maintain a policy that addresses information security for employees and contractors
Why should you partner with a secure ERP-embedded payment processor?
When you use a secure payment processor that can integrate directly with your enterprise resource planning (ERP) system, you’re able to minimize your team’s contact with sensitive payment information even further, as it’s tokenized and recorded automatically, without any manual intervention.
Versapay’s payment processing software integrates natively with leading ERPs like NetSuite, Microsoft Dynamics 365, and Sage Intacct, letting you accept payments from a variety of channels like ecommerce, point of sale, card-not-present, and over the phone. We encrypt and tokenize all payments across all channels, ensuring the data never touches your servers.
Our dedicated support team also works with you to ensure you’re following security best practices, offering their seasoned expertise to help you put controls in place to minimize potential impacts of fraudulent activity.
In the global effort to prevent security breaches and data theft, becoming PCI-compliant is just the beginning. Investing in security (in and out of the payment environment) as a business-wide priority will help you protect your business and your customers long-term.
Want to deepen your understanding of the credit card processing lifecycle? Check out “The Ultimate Guide to Credit Card Processing” to learn exactly how credit card transactions are processed, understand the fees involved, and get tips for finding the best deal when looking for a payment processing solution.