PCI compliance is a key part of accepting debit and credit cards from customers. Here's what your business needs to know.
- Payment card industry (PCI) compliance is a set of standards that businesses must adhere to if they wish to accept credit or debit cards.
- There are 12 requirements a business must follow to be considered compliant.
- PCI compliance adds important safeguards and can help a business avoid expensive penalties and a loss of business resulting from a breach.
- This article is for business owners who want to accept credit and debit cards in a compliant manner.
Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn't only big companies that need to adhere to these rules, collectively known as the Payment Card Industry Data Security Standard (PCI DSS); they apply to every business that relies on credit and debit cards for transactions. Even if your business employs only a few people and conducts one credit card transaction a month, your company must be PCI DSS compliant.
This is easier said than done. The Verizon 2020 Payment Security Report found that only 27.9% of companies achieved full compliance in 2019, a decrease of 8.8% from the year before. In other words, companies are moving the wrong way when it comes to PCI DSS compliance.
"It's not a good trend," Ciske Van Oosten, senior manager of global intelligence at Verizon, said in an interview with eWeek. "We know that organizations that do not maintain PCI DSS compliance – those are the ones that get breached."
This article will explain what PCI compliance is and what it entails, as well as answer merchants' most commonly asked questions about PCI compliance for small businesses.
What is the payment card industry?
The payment card industry comprises all companies that deploy or use credit and debit cards. This includes used by commerce and retail industries, ATMs, and institutions that issue any type of credit, debit, or prepaid card for monetary transactions. In the context of compliance, the payment card industry often refers to the Payment Card Industry Security Standards Council (PCI SSC), an organization that sets the payment card industry's standards and regulations.
Editor's note: Looking for the right credit card processing service for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Every company that accepts credit and debit cards is required to follow PCI DSS, no matter the volume of transactions or the size of the business (although the PCI SSC does provide help for small businesses). However, there are four levels of compliance. These levels determine the actions the organization must take to be compliant; the more transactions, the more actions necessary. These are the four levels and their requirements:
Level 1: Any merchant, regardless of the acceptance channel, that processes over 6 million Visa transactions per year and any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant, regardless of the acceptance channel, that processes 1 million to 6 million Visa transactions per year.
Level 3: Any merchant that processes 20,000 to 1 million Visa e-commerce transactions per year.
- Level 4: Any merchant that processes fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of the acceptance channel, that process up to 1 million Visa transactions per year.
Key takeaway: The Payment Card Industry Security Standards Council addresses and manages the security needs of the industry. All companies that accept credit or debit cards must follow these requirements.
12 requirements for PCI DSS
The PCI SSC provides a list of 12 requirements to meet the PCI DSS:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
Key takeaway: Your business must meet 12 information-security requirements to be PCI DSS compliant.
Why PCI compliance matters
Many high-profile data breaches have come through stolen credit and debit card information in the retail and service industries, so consumers want to know that they are doing business safely. PCI compliance doesn't guarantee a data breach won't happen, but it adds safeguards.
If your business is found to be noncompliant, you could face fees of $5,000 to $100,000 per month. If noncompliance persists, your business could be stripped of payment processing services.
Key takeaway: PCI DSS compliance can help your business protect consumer data and help you avoid hefty, punishing fines resulting from noncompliance.
How to stay PCI compliant
PCI compliance is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company meets credit card compliance standards can be daunting.
Jeff VanSickel, senior consultant at IT compliance consulting firm SystemExperts, provided a few tips for preparing for a PCI assessment and keeping your standards at secure levels at all times:
Identify all business and client data. This includes any cardholder data, its sensitivity and its criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
Understand the boundaries of the cardholder data environment. Monitor all of the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
Establish operating controls. This measure is necessary to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. "Backups must also preserve the confidentiality and integrity of cardholder data," VanSickel said. "Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers."
Have an incident response plan in place. When a security incident occurs, it's important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements, and contact strategies in the event data is compromised, including notification of the payment brands, legal counsel, and public relations. "Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary," VanSickel said.
- Explain and enforce security procedures. You can never be sure that employees understand security practices and behaviors that can put your business at risk. It is up to you to make sure everyone in the company, including IT specialists and upper management, is educated on PCI compliance procedures.
Key takeaway: PCI compliance involves properly tracking the right data and having an incident response plan in place, including security procedures to follow in the event of a breach.
PCI compliance FAQs
What is PCI compliance?
PCI compliance – or, more officially, Payment Card Industry Data Security Standard (PCI DSS) compliance – is adherence to a set of standards established by the Payment Card Industry Data Security Standards Council, a coalition that the major credit card companies (Visa, Mastercard, American Express and Discover) and the Japan Credit Bureau formed in 2006. Merchants must comply with these standards no matter how many credit card transactions they conduct. Those found not in compliance may be subject to hefty fines.
What data falls under PCI compliance?
The data that falls under PCI compliance encompasses what's called "cardholder data," which may include the following information:
- Account numbers, also known as primary account numbers (PANs), which need to be encrypted
- Sensitive authentication data used to authenticate cardholders
- Tracked data contained in the stripe or chip
- Debit card PINs
- CVVs for credit and debit cards
How does taking credit cards by phone work with PCI?
For taking credit cards by phone, the following protocol should be observed:
- Make sure you are using a secure network to accept PANs and other sensitive information.
- Ensure your phone system is PCI compliant.
- Use landlines whenever possible, as smartphones can present more security risks.
- If your business records phone calls, ensure that credit card information is redacted in the recording.
- Never write down the card information being relayed over the phone.
- Ensure all employees are trained on your PCI compliance procedures.
What are the penalties for noncompliance with PCI?
Credit card companies can levy fees of several thousand dollars per month or more, without regard for the size of your business. These fees can be devastating for small businesses, thus making compliance essential.
You may experience nonfinancial penalties as well. For example, card issuers may choose to stop working with your business, leaving you with fewer payment options to provide customers. Or you may face a public relations nightmare as more people learn about a security breach and are nervous to give your company their sensitive information. You may also be subject to federal auditing or legal action.
Is there a PCI certification?
Your business can obtain PCI certification after a comprehensive PCI DSS audit. A qualified security assessor performs this audit, and the process can take months. While PCI certification is not required for your business to be PCI compliant, you may choose to undergo PCI certification to build trust with your customers.
The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments.
Additional reporting by Stella Morrison. Some source interviews were conducted for a previous version of this article.