Navigate PCI compliance with ease: Understand the essentials, best practices, and steps for securing cardholder data in our comprehensive guide.
A security breach is one of the worst things that can happen to your business. The loss of trust from your customers as an organisation which can securely hold their sensitive information alone can be enough to cost you thousands of pounds in revenue, and might even affect its ongoing viability.
With this in mind, if you accept card payments by any means, PCI (Payment Card Industry) compliance is critical to the ongoing functioning of your company. But what is it, and how can you ensure it for your business so that you don’t get caught in any unpleasant traps left by bad actors?
PCI compliance applies to any company storing, processing, or transmitting credit or debit card data. These standards facilitate the comprehensive global adoption of consistent data security measures designed to protect online and offline credit and debit card transactions from data theft and fraud.
The PCI DSS has set twelve requirements which are made up of six ‘objectives’ for businesses to reach to achieve compliance. Each card network, such as Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI SSC. It is important to remember that achieving PCI compliance isn’t a one-time matter. You have to achieve it every year.
PCI compliance is a security standard rather than a law, but it’s mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that handle their payment processing. The exact compliance requirements change according to the size of your business, and place a heavier burden on those companies which process a greater number of payments.
PCI compliance ordinarily relates to PCI DSS, a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing and storing the related data. It involves requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access.
The main difference between PCI and PCI DSS lies in their definitions and purposes. PCI is the collective term for credit card companies, while PCI DSS is the actual security standard that businesses must adhere to when handling cardholder data.
Web companies must follow the requirements of the PCI DSS (The PCI Data Security Standard). This programme is managed by the Payment Card Industry Security Standards Council (PCI SSC).
The six goals and twelve requirements for PCI DSS compliance are as follows:
Install and maintain network security controls
Apply secure configuration to all system components
Protect stored account data.
Protect cardholder data with strong cryptography during transmission over open public networks.
Protect all systems and networks from malicious software
Develop and maintain secure systems and software
Restrict access to system components and cardholder data by business need-to-know
Identify users and authenticate access to system components
Restrict physical access to cardholder data
Log and monitor all access to system components and cardholder data
Test security of systems and networks regularly
Support information security with organisational policies and programmes.
There are four levels of PCI compliance, ranked according to how many card payments you take each year:
Merchants that perform more than 6 million card transactions annually.
Merchants that process between 1 and 6 million cards annually.
Merchants that process between 20,000 and 1 million cards annually.
Merchants that perform less than 20,000 card transactions annually.
For levels 2, 3 and 4, a Self Assessment Questionnaire (SAQ) is completed by your business. At Level 1, this SAQ is replaced by an Annual Report on Compliance performed by a Qualified Security Assessor. This can be performed by a Level 1 onsite assessor or an internal auditor if an officer of the company is willing to sign the assessment. Having an external auditor can help ensure that you are complying with all requirements.
While PCI compliance can be achieved by self-reporting by smaller businesses, the gold standard for the industry is to achieve PCI DSS certification, and this is a slightly more involved process. PCI DSS certification gives a thorough and unbiased audit as proof of compliance. While the criteria for both assessments are mostly the same, the certification process gives concrete proof that the company being audited is taking all measures to protect payment information.
The following broad guidelines should help you to achieve compliance:
You’ll need to install a reliable firewall to protect your network and run regular testing to ensure efficiency.
To be PCI compliant, you must ensure all devices and user accounts use passwords that are unique, and that include lowercase and capital letters, numbers and symbols, to make them more secure.
The PCI standard requires you to put in place electronic and physical barriers to prevent unauthorised access to passwords. These may include authentication protocols, strong password policies, locked servers and locked cabinets for sensitive physical data. A related measure is restricting access to cardholder data and encrypting the transmission of cardholder information.
A security policy should be drafted, supported by management, and made known across the organisation, as well as to third-party vendors and customers. You should include a summary of how you protect customer data, explaining password and access requirements.
Have a clear process for detecting, remediating, mitigating and recovering from security incidents.
Identify and review changes made to processes or technologies affecting cardholder data. Establish change controls, identifying the impact on compliance for every change.
Many of the world’s biggest security breaches resulted from an exploit of a known software vulnerability. Keeping software up to date, scanning systems for vulnerabilities and remediating them, is a critical defensive measure.
When you first start taking payments, you’ll have 90 days before you need to meet the requirements of the PCI DSS. After that, you’ll need to keep meeting the requirements and show you’re doing so at least once a year.
Although PCI standards aren’t a matter of law, the consequences of failing to adhere to them can be severe. The standards don't simply levy a one-off fine for non-compliance. Instead, organisations can be penalised between $5,000 (around £4,000) and $100,000 (£78,500) a month until they achieve compliance.
Organisations can also face other punitive measures from their acquiring bank. For example, the bank might increase its transaction fees or terminate the relationship with the merchant altogether. Additionally, banks can implement stricter compliance requirements for organisations that commit repeated or egregious mistakes.
The PCI compliance process can last anywhere from one day to two weeks depending on the complexity of your systems, the size of your company, and how long you take to complete the self-assessment.
The term Qualified Security Assessor, or QSA, can be used to identify an individual qualified to perform payment card industry compliance auditing and consulting, or a company itself. If your company needs to undergo a PCI DSS audit, it will be performed by a PCI Qualified Security Assessor.
From the outset, the requirements for PCI DSS compliance can look close to overwhelming, but perhaps the most important thing to remember about it is that it’s a matter of the culture of your business rather than a box-ticking exercise. There’s no escaping these regulations. They’re required, if you’re to continue to take advantage of the opportunities afforded by the rapid expansion in global credit and debit card use, and adhering to them strictly will only result in a growth in trust from the most important people to your business of all: your customers.
Demystify credit card processing and transaction fees. Our guide explains costs, factors, and tips to optimize financial efficiency for your business.
Explore the top payment gateways and compare online payment systems. Find the best fit for your business in our comprehensive guide.
Explore essential insights on payment gateways and online systems in our guide, ensuring secure, efficient transactions for your business.
Guides & Tools
© Switch Pal Limited 2024
All rights reserved. Switch Pal Limited is registered in England & Wales: 12545529
Made with 💜 in London, UK