Any business that processes card payments must comply with PCI DSS.
Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn't only big companies that need to adhere to these regulations. The rules apply to every business that relies on credit and debit cards for transactions. Even if your business employs four people and conducts one credit card transaction a month, it must be PCI compliant.
This is easier said than done. The Verizon 2018 Payment Security Report found that most companies struggle to meet the Payment Card Industry Data Security Standard (PCI DSS), the set of regulations created to keep credit and debit card data secure, with just 52% in compliance, down from 55% in 2017.
"It's not a good trend," said Ciske Van Oosten, senior manager of global intelligence at Verizon, in an interview with eWeek. "We know that organizations that do not maintain PCI-DSS compliance, those are the ones that get breached."
What is the payment card industry?
"Payment card industry" is the catch-all term for industries that deploy or use credit and debit cards. This includes point-of-sale systems used by commerce and retail industries, ATMs, and institutions that issue any type of credit, debit or prepaid card for monetary transactions.
In 2006, the major credit card companies – Visa, Mastercard, American Express and Discover, as well as the Japan Credit Bureau – came together to create the Payment Card Industry Security Standards Council (PCI SSC) as a way to address and manage the need for improved security throughout the industry. This led to the Payment Card Industry Data Security Standard.
Editor's note: Considering a credit card processing service for your business? If you're looking for information to help you choose the one that's right for you, use the questionnaire below to get information from a variety of vendors for free.
Every company that accepts credit and debit cards is required to follow PCI DSS, no matter the volume of transactions or size of the business (although the PCI SSC does provide help for small businesses here). However, there are four levels of compliance based on Visa transaction volumes over a 12-month period. These levels determine the actions the organization must take to be compliant; the more transactions, the more actions necessary. According to PCIComplianceGuide.org, these are the four levels and their requirements:
- Level 1: Any merchant – regardless of acceptance channel – processing over 6 million Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
- Level 2: Any merchant – regardless of acceptance channel – processing 1 million to 6 million Visa transactions per year.
- Level 3: Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year.
- Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants – regardless of acceptance channel – processing up to 1 million Visa transactions per year.
12 requirements for PCI DSS
The PCI SCC provides a list of 12 requirements to meet PCI DSS:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
Why PCI compliance matters
More than ever before, consumers care about security. With high-profile data breaches, many of them coming through stolen credit and debit cards throughout the retail and service industries, consumers want to know that they are doing business safely and won't be hearing from their credit card companies about questionable charges. Consumers will walk away from businesses that have suffered data breaches, and a single breach could be so costly that it could end up putting small companies out of business for good. PCI compliance doesn't guarantee a data breach won't happen, but it adds safeguards to improve security.
If a business is found to be out of compliance, it can cost anywhere from $5,000 to $100,000 per month in fines. If noncompliance is ongoing, the merchant could be stripped of payment processing services. [Looking for a credit card processing service? Check out our reviews and best picks.]
How to stay PCI compliant
PCI compliance is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company meets compliance standards can be daunting. Jeff Vansickel, senior consultant at IT compliance consulting firm SystemExperts, provided a few tips to prepare for a PCI assessment and keep your standards at secure levels at all times:
- Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program, Vansickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
- Understand the boundaries of the cardholder data environment and all the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
- Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. "Backups must also preserve the confidentiality and integrity of cardholder data," Vansickel said. "Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers."
- Have an incident response plan in place. When a security incident occurs, it's important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations. "Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary," Vansickel said.
- Explain and enforce security procedures. You can never be sure that employees understand best security practices and behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated on security procedures and PCI compliance procedures.
The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments. For more information, visit PCIComplianceGuide.org.