Achieving compliance with PCI DSS: An introduction for business
Small or medium businesses which accept payments cards will need to understand what PCI DSS is. Through compliance with PCI DSS, businesses can better protect their customers’ sensitive data. However, for some SMB owners, it might feel somewhat overwhelming to undertake the necessary activities to achieve PCI DSS compliance.
Here we explain the crucial components of PCI DSS that you need to know and help you through the essential steps so that you can protect the business and your customers.
What is PCI DSS Compliance?
PCI DSS, an abbreviation for Payment Card Industry Data Security Standard, is a collection of standards to ensure the security, privacy and protection of payment card transactions.
PCI Compliance standards are set and regulated by the PCI Security Standard Council. This body initially developed the PCI data security system. Businesses which adopt and implement PCI standards are regarded as PCI compliant.
Version 3.2.1 is the latest version of the PCI DSS standard and was released in May 2018.
PCI Compliance goals and requirements
The PCI DSS standard has six principles, twelve essential requirements, and seventy-eight base requirements. The six major principles of the PCI DSS include:
- Build and maintain secure networks and systems;
- Protect Cardholder Data;
- Maintain a Vulnerability Management Program;
- Implement Strong Access Control Measures;
- Regularly Monitor and Test Networks;
- Maintain an Information Security Policy.
See also PCI-DSS: The 6 Major Principles
These principles aim to improve data and information protection, and in the case of a breach, build a robust control network.
The 6 PCI DSS goals and requirements are presented below:
PCI DSS history and background
The PCI DSS standard was created in 2006, as online shopping was becoming established. As the popularity of online shopping increased, many organisations opted to enable their payment systems for the internet, connecting to varying types of terminals.
As consumers became more comfortable using credit cards to buy their goods online, and online payment systems became more established, the different avenues of commerce exposed businesses to more risks – giving opportunity for cybercriminals and fraudster to steal credit card data from unsecured networks.
To combat such risks, five of the established credit card companies – American Express, Discover, JCB, Mastercard & Visa — responded by developing the Payment Card Industry Data Security Standard (PCI DSS) with the sole aim of preventing data breaches. The advent of this regulation was a crucial milestone in maintaining the security of the credit card payment industry.
To effectively manage PCI compliance standards, an independent organisation, the PCI Security Standards Council was established. This body aims to monitor threats and improve the way such threats are dealt with by the industry, by enhancing the PCI Security Standards and through the training of security professionals.
It is essential to take note that, PCI DSS has a self-regulating mandate. Essentially this means the liability of maintaining compliance is with the merchants and not with the payment card industry or the PCI Security Standards Council.
As such, while the Council is accountable for creating standards and properly creating rules for what merchants have to follow, the responsibility for enforcement falls with the payment card provider.
Due to the comprehensive nature of PCI DSS, the standard is held in regard by data security experts. As a business which accepts payment cards, maintaining compliance with PCI DSS helps protect your business against cyber threats.
Understanding PCI DSS compliance
PCI DSS means payment security standards that let merchants safely and securely accept, store and send out private cardholder information when using a credit or debit card for financial transactions.
Cardholder data (CHD) covers the primary account number (PAN) or the “long, 16-digit card number” on the front of the card, the name of the cardholder, including card service codes and the expiry date. Merchants are also accountable for protecting the information contained in the magnetic stripe on the card.
To accurately identify if your business is susceptible to a cyber-attack, you need to be aware of the potential places where the cardholder data might be illicitly obtained. For example, private cardholder information may be taken from:
- Card readers that have been compromised
- Insecure payment database systems
- Discrete recordings while entering authentication data
- A hack into a store’s network (wired or wireless)
- Paper and documents that are stored in the cabinet
Consequently, it is essential to ensure the whole payment life cycle adequately secured – from accepting the credit card and processing payment to protecting cardholder information when it is captured at the sales point, and transmitted to your merchant account.
PCI standards are applicable to:
- Card readers
- POS (Point-of-sale) systems
- Credit/debit card data storage and transmission
- Credit/debit card data stored in paper records
- Online payment apps and shopping carts
- Store networks and wireless routers
Achieving compliance to PCI DSS standard, and maintaining that standard is a rather complicated and arduous process. It means integrating proper security controls, potentially hiring expensive external consultants to install costly hardware and software, and agreeing to the Banks’ terms for an annual assessment on your business for PCI compliance.
Who needs PCI compliance?
The PCI DSS standard was created to strengthen cardholder data security and support the global adoption of consistent and wide-ranging data security measures.
In general, any business with a merchant ID which accepts payment (credit/debit) cards must adhere to the PCI DSS standards.
However, it should be noted, that complying with the PCI DSS standard is not legally mandatory, but is an industry requirement. However, failing to comply may result in a fine, an increase of transaction fees, or even termination of the merchant account.
PCI Compliance levels
Businesses which accept American Express, Discover, JCB, Mastercard, and Visa are required to be PCI compliant at different levels, dependent on their transaction volume.
65% of small businesses miss the mark on minimum compliance requirements
Depending on your processing volume, compliance reporting requirements can vary. For example, merchants processing high volumes of transactions need to collaborate with several functions such as internal security assessors (ISAs), qualified security assessors (QSAs), and PCI-approved scan vendors (ASVs).
In total, four levels of compliance are used to determine the requirements for compliance reporting. A stipulated by the PCI Council, 100 per cent compliance with the criteria is required to pass. Therefore, due to this complexity, larger firms tend to work with PCI consultants to ensure they can meet all requirements for their level.
Depending on the transaction volume during a 12-month period, every merchant will fall into one of these four categories. Every payment card issuer has its own nuanced criteria, the following compliance levels with PCI DSS are based on Visa’s guidelines:
Merchants which process over 6M transactions per annum
Any merchant which has experienced a data breach or attack which resulted in account data being compromised
Any merchant recognised by any card association as Level 1
Merchants which process 1M to 6M transactions per annum
Merchants which process 20,000 to 1M e-commerce transactions per annum
Merchants which process less than 20,000 e-commerce transactions and all other merchants which process up to 1M transactions per annum
What are the results for not complying properly?
PCI DSS is complex, and most businesses seek external assistance to translate, interpret and employ best practices to achieve compliance with PCI DSS. If you are unclear about the rules, then you are not alone.
As a matter of fact, thirty per cent of small businesses report that they are unclear on the penalties for non-compliance with PCI DSS.
However, while PCI compliance is not a legal requirement, it does not mean that complying with PCI DSS is unnecessary. Almost two-thirds of smaller businesses are impacted by inadequate data security. Industry requirements aside, business wishing to protect their customers and businesses from a data breach will gain immense value from securing their payment processing life cycle to PCI DSS standards.
Businesses which do not comply with PCI DSS standards can be exposed to data breaches. In the event of a brach, businesses that do not meet PCI DSS standards could face fines, costs for replacement cards, costs for forensic audits, and investigations into the business. Not to mention any reputational damage.
Financial institutions pass these costs to the merchant and contracts can be cancelled, or extra transactions fees might be the result of violating account hacks and data breaches. Not complying with your requirement commitment could mean you are banned from accepting cards or increased fees to process cards.
Fines for non-compliance with PCI DSS are not widely publicised. They can be detrimental to the business, ranging from £3,000 to £60,000 depending on your bank’s merchant account agreement.
Apart from the financial cost, other liabilities may compromise your business. According to the PCI Security Standards, non-compliance to PCI DSS standards and a resultant data breach may result in:
- Loss of confidence amongst customers
- Loss of business
- Decrease in sales
- Costs for replacement payment cards
- Higher future costs for compliance
- Legal, settlement and judgement costs
- Penalties and fines
- Termination of merchant account facility
- Loss of management jobs (CIO, CISO, CEO)
What does it cost to become PCI DSS compliant?
Costs depend on the size of your business, the level of security already deployment, and the technology your business already has in place. Any of these components may need to be remediated or replaced as part of compliance activities.
“The PCI process makes up 55% of the whole security budget for merchants.”
Attaining PCI DSS compliance and maintaining it can be costly, primarily depending on the type and size of your business and the compliance level that your business is assigned.
Typically, the costs, by level, range from:
PCI Compliance Level 4: €60 each month and above
- The costs included is a proper ASV, and there is also a proper regular network scan. Moreover, it is necessary to complete an SAQ as wells as attestation documents of you and your staff.
PCI Compliance Level 3: €1000 each year and above
- The costs might need scans regularly by the ASVs. Moreover, the computer network has to be expanded along with the number of IP addresses. Self-Assessment Papers and Attestation Forms have to sign as well.
PCI Compliance Level 2: €8000 to €40000 each year and above
- Your fees include getting scans regularly by ASVs, and a proper annual Report that complies with QSA and attestation documents.
PCI Compliance Level 1: €50,000 and above
- The costs include a proper network scan regularly by the ASV, an annual report complying with QSA and attestation documents.
- Make sure to watch out for service providers that can take advantage of you and charge high fees but only meet a small part of the PCI requirements.