Ignoring PCI compliance could cost you more than you think.
Mo’ money, more problems? If you work in an industry that handles credit card data, you must use security compliance tools. Otherwise, you could find yourself in a lot of trouble when you ignore PCI compliance. But what exactly is PCI compliance, and who needs to worry about it? We’ve put together your guide to answer all the burning questions you have.
What is PCI compliance?
Payment Card Industry (PCI) compliance is a set of regulations developed to ensure that the credit card industry is properly managing and securing customer data.
Before PCI was formed in 2006, there was no clear industry standard that all credit card companies had to follow, which is a problem for any company that deals with big data.
In 2006, Visa, MasterCard, Discover, and AMEX established the PCI Security Standards Council (PCI SSS) to help regulate the credit card industry and establish clear operating guidelines for how consumer credit card information should be handled.
Before we go any further, let’s dig into some quick definitions to help keep things straight:
- PCI: The Payment Card Industry, also known as your major credit card companies
- PCI SSS: The Payment Card Industry Security Standards Council that is in charge of creating PCI compliance regulations
- DSS: Data Security Standards, or the regulations being placed on anyone who has to follow PCI compliance
- PCI DSS: Payment Card Industry Data Security Standards, the more common way of referring to the standards set for anyone who has to follow PCI compliance
As with many compliance programs, PCI has seen several changes over the years. The most recent version is known as PCI DSS 3.2. It was first introduced in 2016 and officially replaced the old version of PCI on February 1, 2018.
How to comply with PCI: 12 requirements
The requirements that the PCI SSC set forth for vendors are known as the PCI DSS. They are comprised of 12 compliance points, and anyone who wants to stay compliant with PCI standards must follow them.
How do you comply with PCI DSS?
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
It’s not enough to just say you’re following PCI compliance. Every company is required to complete an annual PCI compliance validation check. This shows that you’re following the requirements as they are written and not jeopardizing any client data.
Completing a PCI compliance validation involves several steps. Lucky for you, we’ve put together a handy PCI compliance validation checklist to make it easier.
Should you stay PCI compliant?
Yes! Any merchant that processes, stores, or transmits credit card data must be PCI compliant.
All of the major credit card companies agreed that merchants and service providers who handle consumer credit card information must prove that they are appropriately protecting that information.
This standard applies to all businesses, regardless of size. If you run a business and you handle credit card information from customers, you must adhere to PCI compliance regulations. It might be time to hire a chief compliance officer. Every business falls into a PCI compliance level, and each level requires a different standard of compliance difficulty.
There are four PCI compliance levels: Level 1 is reserved for large enterprise corporations and has the most rigorous PCI compliance requirements. Nearly all small to medium-sized businesses will be classified in the lower two levels. This does not mean that they can take it easier than larger enterprise corporations. Everyone is equally responsible for keeping PCI compliance in the eyes of the PCI Security Standards Council.
But wait, does that mean that independent sellers need to create their own PCI compliance program?
Probably not. Most independent sellers use a vendor like Square Payments, Etsy, or PayPal to conduct their business. These are known as payment gateway software solutions. These platforms are already held to PCI compliance standards, which means your sales are covered when you use their platform.
Benefits of PCI compliance
- Security Enhancement: PCI compliance protects sensitive cardholder information and reduces the risk of data breaches and fraud.
- Customer trust: Customers are more likely to trust companies that adhere to PCI compliance because it demonstrates a commitment to safeguarding their payment information. This trust enhances customer loyalty and leads to increased sales.
- Avoiding fines and penalties: Complying with PCI helps businesses avoid hefty fines and penalties associated with non-compliance and data breaches.
- Legal protection: PCI compliance also provides businesses with a defense against potential lawsuits in case of data breaches.
- Global acceptance: Adopting PCI compliance also helps companies to exapnd to new markets where PCI standards are required.
Who oversees PCI compliance?
There are two regulatory bodies that oversee PCI compliance:
- The PCI Security Standards Council (PCI SSC) which designs the specific Data Security Standards (DSS) that are required of all merchants regardless of revenue and credit card transaction volumes.
- The credit card companies Visa, MasterCard, Discover, and AMEX, who enforce consequences for PCI compliance violations
Basically, the PCI SCC is in charge of designing and implementing the standards for compliance. Any company that doesn’t adhere to them will have to deal with repercussions as set by the credit card companies themselves.
Why could ignoring PCI compliance cost you?
A common misconception about PCI compliance is that it’s required by law. It’s not.
You might think that means that PCI compliance is optional, but that’s not the case. Because all of the major credit card companies have decided PCI compliance is required, it’s almost impossible to operate a business and ignore it.
What happens if you ignore PCI compliance?
- Fines: The credit card companies can levy fines against your bank, which in return get passed down to the merchant.
- Additional penalties: Your bank can slap additional penalties on top of any fines levied by the credit card companies
- More red tape: Your company may get jumped up a PCI compliance level, which would lead to stricter regulations, closer monitor, and more red tape.
Don’t break the bank by breaking the rules
PCI compliance violation fines can range anywhere from $5,000 to $100,000 a month depending on the severity of the breach. You can’t ignore PCI compliance away. Either you adhere to the requirements or continue to get slapped with hefty fines and stricter rules. Instead, find the right way to stay compliant.
Trying to ensure compliance across teams? Check out the top regulatory change management software to spot non-compliance and implement regulatory changes.
This article was originally published in 2019. It has been updated with new information.