How to become PCI compliant


July 30, 2019

If you’re opening a new business or taking ownership of an existing one, there’s one thing you can’t afford to overlook: PCI compliance. You may have heard about how to become PCI compliant, but be unsure about what it entails. This article covers the basics of PCI compliance to help get you going in the right direction.

What is PCI DSS?

The Payment Card Industry Data Security Standards (PCI DSS) is a set of global security standards designed to ensure that all entities (including those outside of the US) involved in accepting, processing, storing, or transmitting credit card information maintain a secure environment. PCI DSS is overseen by the Payment Card Industry Security Standards Council (PCI SSC), which was created by the payment card brands Visa, Mastercard, American Express, Discover, and JCB.

The payment card brands and acquirers are responsible for enforcing PCI compliance, but they aren’t equipped to check every business to make sure PCI regulations are being met. Merchants are presumed innocent—or compliant—until they experience a breach. While PCI enforcement has historically been stricter in the US, enforcement rates in the UK and Europe are gradually increasing.

One important thing to note is that PCI compliance is not a one-time event, it’s an ongoing activity. For merchants, this means active monitoring and maintenance of business systems and technologies.

What are the PCI standards?

The PCI SSC established 12 standards to guide the overall efforts for achieving and maintaining compliance. These standards address the security of the payment system at large and recommend the implementation of network security protocols. This includes things like firewalls, anti-virus protection, password maintenance, access restrictions, regular security tests, policies that address information security, and more. 

What are the levels of compliance?

PCI DSS is mandatory for all organizations that accept, transmit, or store cardholder data. But requirements differ based upon a business’ transaction volume over a 12-month period, and the channel used to process payments. There are four levels of PCI compliance:

Level 4 applies to any merchant processing less than 20,000 eCommerce transactions annually, and merchants that process up to 1 million transactions annually, regardless of the channel (card present, card not present, online)

Level 3 applies to any merchant processing 20,000 to 1 million eCommerce transactions annually

Level 2 applies to any merchant that processes 1 to 6 million transactions annually, regardless of the channel

Level 1 applies to any merchant that processes over 6 million transactions annually, regardless of the channel

The best way for a merchant to determine their compliance level is to consult with their payment processing provider. The most complex compliance requirements apply to Level 1-3 merchants, because of their large size and involved processing environment.

Most small- and medium-sized businesses fall into level 4. The compliance requirements for Level 4 merchants are simpler but not necessary easier— in part because smaller businesses often lack the necessary IT and compliance resources. That’s why it’s important to work with a provider that offers PCI compliance tools and resources.

What are the general requirements for each level of compliance?

The PCI SSC recommends that small businesses think about compliance as a three-step process:

  1.  Assess.  Take inventory of systems that capture and store sensitive data, and then analyze those systems for potential vulnerabilities
  2.  Remediate.  Fix any vulnerabilities discovered in the first step, eliminating the storage of sensitive data as much as possible for your business practices
  3.  Report. Compile and submit the required reports to the acquiring banks and card networks you work with to prove you’re in compliance (the Attestation of Compliance Form).

With this in mind, the compliance requirements differ for each merchant level. Here are the general guidelines:

Level 1 merchants must complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA), a quarterly network scan by an Approved Scanning Vendor (ASV), and an Attestation of Compliance Form

Level 2 merchants must complete an Annual Self-Assessment Questionnaire (SAQ), a quarterly network scan by an ASV, and an Attestation of Compliance Form

Level 3 merchants must complete an Annual SAQ, a quarterly network scan by an ASV, and an Attestation of Compliance Form

Level 4 merchants must complete an Annual SAQ, a quarterly network scan by an ASV, and an Attestation of Compliance Form

Note that there are different SAQ forms to validate compliance, depending upon how payments are accepted. The number of questions on the forms range from as few as 14 for SAQ Validate Type A for card-not-present merchants that have no electronic cardholder data storage, to 347 for SAW Validate Type D-Service Providers. 

What happens if I don’t comply?

Failure to adhere to PCI security standards that leads to a data breach can result in devastating financial consequences including fines, fees, and loss of business. The initial costs of a data breach cost depends on many factors including the number of cards compromised and the ensuing financial impact on the business.

Non-compliance fines can include:

  • Card reissuance costs for each card involved that must be reissued. This can range from $2-5 or more per card. The average number of cards compromised per breach is typically in the thousands for small businesses, and in the hundreds of thousands-to millions for larger businesses.
  • Non-compliance fines passed from the acquiring banks and ranging from $5,000-$10,000 per month
  • Required additional fraud detection services enforced by the card brands such as costly financial and forensic audits.
  • Additional fraud monitoring programs and technologies as mandated by the card brands.

What is PA-DSS?

Whereas PCI compliance is the merchant’s responsibility, PA-DSS validation is the technology providers’ responsibility. PA-DSS stands for Payment Application Data Security Standards. In laymen’s terms, it means that the payment equipment (POS system/terminal) that vendors sell must meet the security standards set forth by the PCI council for the safe handling of payment data.

A validated system has been verified as secure by a PCI-council approved organization, which in turn lessens the merchant’s responsibilities in maintaining PCI compliance. To ease their own PCI compliance obligations, merchants are advised to use PA-DSS validated systems and providers.

What are the most vulnerable areas that need protection?

Protecting a business from data theft requires measures to secure sensitive customer data at all points through the payment transaction, from card entry to settlement. Data thieves will seek out the most vulnerable points to access information including:

  • Compromised card reader
  • Vulnerable online network
  • Weak remote access credentials
  • Paper records in a filing cabinet
  • Data in an online payment system database
  • Hidden camera that records your staff entering authentication data
  • Secret tap into your store’s networks—both wireless and wired

It’s imperative to take steps to protect the following:

  • POS (point of sale) systems
  • Card readers
  • Store networks and wireless access routers
  • Remote access links and accessibility
  • Payment card data storage and transmission
  • Payment card data kept in paper records
  • Online payment systems and eCommerce shopping carts

What payment technologies help secure data?

Encryption and tokenization are two technologies used to protect merchant and consumer data. 

Encryption protects data in motion, such as when transferred from the cardholder to the payment processor and onward through the authorization process. Encryption effectively removes cardholder data from the payment processing network and can also reduce the scope of PCI compliance requirements which saves time and money in achieving and maintaining PCI compliance.

Tokenization replaces sensitive payment data with a unique token generated by complex algorithms that cannot be duplicated or decoded. The actual value of the data is zero without the ability to decipher it. While card data encryption protects data in transit during authorization, tokenization protects data at rest to securely offer post-authorization services such as recurring billing, tip adjustments, delayed shipping, and card-not-present voids and returns.

Who can help with becoming PCI compliant?

Some payment processors and gateway providers offer PCI compliance assistance to help automate the process to achieve and maintain compliance. Having this type of support is a big asset and time saver, so it’s important to consider a processor’s PCI compliance assistance solution when making your decision on which provider to use.

In addition to compliance tools and guidance, a good compliance assistance program will also provide financial protection to help cover costs in the event of a data breach. It’s similar to insurance, in that the provider will foot the bill for certain breach expenses within a certain limit following a qualifying breach event.

It’s important to understand the role your payment processor and other third-party vendors will play in your system security and compliance obligations, as well as the role you will play. You may depend on third parties to help you maintain system security and PCI compliance, but ultimately the responsibility rests with you.