How to become PCI compliant

If you’re opening a new business or taking ownership of an existing one, there’s one thing you can’t afford to overlook: PCI compliance. You may have heard about PCI compliance but still be unsure about what it entails. This article covers the basics of PCI compliance to help get you going in the right direction.

What is PCI DSS?

The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards designed to ensure that all entities involved in accepting, processing, storing or transmitting credit card information maintain a secure environment. PCI DSS is overseen by the Payment Card Industry Security Standards Council (PCI SSC), which was created by the payment card brands Visa, Mastercard and American Express.

This article outlines the essentials of what you’ll need to know to get your business started with a new merchant account to accept electronic payments.

Payment card brands and acquirers are responsible for enforcing PCI compliance, but they aren’t equipped to inspect every business to make sure PCI regulations are being met. Merchants are presumed innocent – or compliant – until they experience a breach. While PCI enforcement has historically been more relaxed in the UK and Europe compared to the United States, enforcement rates are on the rise.

One important thing to note is that PCI compliance is not a one-time event – it’s an ongoing activity. For merchants, this means active monitoring and maintenance of your business systems and technologies.

Learn more about the history of PCI DSS.

What are the PCI standards?

The PCI SSC established 12 principal standards to guide the overall efforts for achieving and maintaining compliance. These standards address the security of the payment system at large and recommend the implementation of network security protocols. This includes things like firewalls, anti-virus protection, password maintenance, access restrictions, regular security tests, policies that address information security and more.

What are the requirements of PCI DSS?

Here are the 12 PCI DSS compliance principal requirements to follow to become PCI DSS compliant:

• Install and maintain network security controls
• Apply secure configurations to all system components
• Protect stored account data
• Protect cardholder data with strong cryptography during transmission over open, public networks
• Protect all systems and networks from malicious software
• Develop and maintain secure systems and software
• Restrict access to system components and cardholder data by business need to know
• Identify users and authenticate access to system components
• Restrict physical access to cardholder data
• Log and monitor all access to system components and cardholder data
• Test security of systems and networks regularly
• Support information security with organizational policies and programs

What are the levels of compliance?

PCI DSS is mandatory for all organizations that accept, transmit or store cardholder data. However, requirements differ based upon a business’ transaction volume over a 12-month period and the channel used to process payments.

There are four levels of PCI compliance:

• Level 4 applies to any merchant processing less than 20,000 e-commerce transactions annually and merchants who process up to one million transactions annually, regardless of the channel (card present, card not present, online)
• Level 3 applies to any merchant processing 20,000 to one million e-commerce transactions annually
• Level 2 applies to any merchant that processes one to six million transactions annually, regardless of the channel
• Level 1 applies to any merchant that processes over six million transactions annually, regardless of the channel

The best way for a merchant to determine their compliance level is to consult with their payment processing provider. The most complex compliance requirements apply to Level 1-3 merchants because of their large size and involved processing environment.

Most small and medium-sized businesses fall under Level 4. The compliance requirements for Level 4 merchants are simpler but not necessarily easier, in part, because smaller businesses often lack the necessary IT and compliance resources. That’s why it’s important to work with a provider that offers PCI compliance tools and resources.

What are the general requirements for each level of compliance?

The PCI SSC recommends that small businesses think about compliance as a three-step process:

• Assess: Take inventory of systems that capture and store sensitive data, and then analyze those systems for potential vulnerabilities.
• Remediate: Fix any vulnerabilities discovered in the first step, eliminating the storage of sensitive data as much as possible for your business practices.
• Report: Compile and submit the required reports to the acquiring banks and card networks you work with to prove you’re in compliance (the Attestation of Compliance Form).

With this in mind, the compliance requirements differ for each merchant level. Here are the general guidelines:

• Level 1 merchants must complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA), a quarterly network scan by an Approved Scanning Vendor (ASV) and an Attestation of Compliance form.
• Level 2 merchants must complete an annual Self-Assessment Questionnaire (SAQ), a quarterly network scan by an ASV and an Attestation of Compliance form.
• Level 3 merchants must complete an annual SAQ, a quarterly network scan by an ASV and an Attestation of Compliance form.
• Level 4 merchants must complete an annual SAQ, a quarterly network scan by an ASV and an Attestation of Compliance form.

Note that there are different SAQ forms to validate compliance depending upon how payments are accepted. The number of questions on the forms range from as few as 14 for SAQ Validate Type A for card-not-present merchants that have no electronic cardholder data storage to 347 for SAW Validate Type D-Service providers.

What happens if I don’t comply?

Failure to adhere to PCI security standards that leads to a data breach can result in devastating financial consequences including fines, fees and loss of business. The initial costs of a data breach depend on many factors including the number of cards compromised and the ensuing financial impact on the business.

Non-compliance fines can include:

• Card reissuing costs for each card involved that must be reissued. This can range from £2-5 or more per card. The average number of cards compromised per breach is typically in the thousands for small businesses and in the hundreds of thousands to millions for larger businesses.
• Non-compliance fines are issued in line with the General Data Protection Regulation (GDPR), and as such, can cost a business up to £17m or 4% of its global turnover in the most severe cases.
• Required additional fraud detection services enforced by the card brands such as costly financial and forensic audits.
• Additional fraud monitoring programs and technologies as mandated by the card brands.

What is PA-DSS?

Whereas PCI compliance is the merchant’s responsibility, PA-DSS validation is the technology provider’s responsibility. PA-DSS stands for Payment Application Data Security Standards. In layman's terms, it means that the payment equipment (POS system/terminal) that vendors sell must meet the security standards set forth by the PCI council for the safe handling of payment data.

A validated system has been verified as secure by a PCI-council approved organization, which in turn lessens the merchant’s responsibility for maintaining PCI compliance. To ease their own PCI compliance obligations, merchants are advised to use PA-DSS validated systems and providers.

What are the most vulnerable areas that need protection?

Protecting a business from data theft requires measures to secure sensitive customer data at all points through the payment transaction, from card entry to settlement. Data thieves will seek out the most vulnerable points to access information including:

• Compromised card readers
• Vulnerable online networks
• Weak remote access credentials
• Paper records in filing cabinets
• Data in online payment system databases
• Hidden cameras that record your staff entering authentication data
• Secret taps into your store’s networks – both wireless and wired

It’s imperative to take steps to protect the following:

• POS (point of sale) systems
• Card readers
• Store networks and wireless access routers
• Remote access links and accessibility
• Payment card data storage and transmission
• Payment card data kept in paper records
• Online payment systems and e-commerce shopping carts

What payment technologies help secure data?

Encryption and tokenization are two technologies used to protect merchant and consumer data.

Encryption protects data in motion, such as when transferred from the cardholder to the payment processor and onward through the authorization process. Encryption effectively removes cardholder data from the payment processing network and can also reduce the scope of PCI compliance requirements, which saves time and money in achieving and maintaining PCI compliance.

Tokenization replaces sensitive payment data with a unique token generated by complex algorithms that cannot be duplicated or decoded. The actual value of the data is zero without the ability to decipher it. While card data encryption protects data in transit during authorization, tokenization protects data at rest to securely offer post-authorization services such as recurring billing, tip adjustments, delayed shipping and card-not-present voids and returns.

Who can help with becoming PCI compliant?

Some payment processors and gateway providers offer PCI compliance assistance to help automate the process to achieve and maintain compliance. Having this type of support is a big asset and time saver, so it’s important to consider a processor’s PCI compliance assistance solution when making your decision on which provider to use.

In addition to compliance tools and guidance, a good compliance assistance program will also provide financial protection to help cover costs in the event of a data breach. It’s similar to insurance in that the provider will foot the bill for certain breach expenses within a certain limit following a qualifying breach event.

It’s important to understand the role your payment processor and other third-party vendors will play in your system security and compliance obligations – as well as the role you will play. You may depend on third parties to help you maintain system security and PCI compliance, but ultimately the responsibility rests with you.