Running a business is all about the details. Small mistakes can spiral into big issues, and being proactive is your best bet for growth.
PCI compliance is one of those to-dos that can fly under the radar, but the consequences of a breach are devastating. It’s your responsibility as a business owner or manager to stay on top of PCI compliance and protect your customer’s data when processing transactions.
And PCI doesn’t go away the more you grow; it actually gets more complex and important.
We’re going to cover what PCI stands for, the meaning of PCI compliance, why it’s important, and what you can do to stay compliant.
What does PCI stand for?
The full acronym, PCI DSS, stands for Payment Card Industry Data Security Standard — a set of rules and guidelines that businesses must follow in order to protect cardholders while supporting credit card transactions.
The standard is established and set by the PCI Security Standards Council which defines PCI DSS as follows:
A set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
The council is managed by executive staff and a committee that represents the largest payment conglomerations such as AMEX, JCB, Visa, MasterCard, and Discover. These members of the payment industry are assisted by many advisors throughout the process of updating and creating the requirements.
What is PCI compliance?
PCI compliance, required by any merchant, retailer, or organization of any size, means following this set of standards when processing, storing or transmitting a cardholder’s financial information or authentication data.
The history of PCI compliance dates back to the 1990s when internet transactions and breaches first began. Cardmember companies recognized a growing problem and needed a way to formalize cardmember security.
The PCI Security Standards Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc., and they each share in its governance and help guide the council’s work.
While the council is responsible for releasing and updating the general guidelines and questionnaires, it’s the cardmember associations’ responsibility to enforce these guidelines among sellers accepting payment cards.
In order to transact with these cardmember associations, your business must conduct annual assessments and submit them to the council/cardmember associations for review.
Depending on your business, you may need or choose to hire an on-site Qualified Security Assessor or take remote security assessments via third-party companies.
What are the most important PCI standards?
Among the twelve PCI compliance guidelines, four general rules of thumb stand out:
1. Defend cardholder data
Write policies that proscribe data retention and disposal. Make sure the policies are being practiced. Use encryption. Mask data and render it unreadable. etc.
2. Defend against external threat
Use high firewalls that are specially configured. Use anti-virus measures. Configure routers. Review firewalls and routers every 6 months. etc.
3. Defend against the internal threat
Employee screening measures. Least-privilege policies. Documented approvals. etc.
4. Defend against complacency
Regular compliance checking, continuous tracking and monitoring, alerts on suspicious activity, auditing logs, and more.
For an overview of all twelve PCI security standards, visit our PCI compliance checklist.
The importance of PCI compliance
Keeping your cardholder data secure is important for your entire business, regardless of how many stores you have or locations you operate in. A breach is damning for many reasons:
- Having to absorb any and all fraud that occurred during the breach.
- Losing customers’ trust, reducing customer lifetime values, and overall revenue.
- Shelling out thousands of dollars in fines.
- Paying all the legal costs, settlements, and judgments that accompany a customer lawsuit.
- Losing your business’s ability to accept credit cards.
- Just plain going out of business.
And breaches are not rare; the average breach costs $4 million dollars, and more than 898 million records have been compromised across 4,823 breaches made between January 2005 and April 2016, according to privacyrights.org. And those are just the ones that were publicly reported.
As a small business, within level 3 or 4, PCI compliance is especially important for ensuring that your organization does not incur such hefty legal fees.
Further, providing a safe mode of transaction ensures that consumers trust not only your business with their information and payment method but also the purchasing process overall.
How do you become PCI compliant?
Achieving PCI compliance typically involves completing a yearly self-assessment questionnaire (SAQ) and/or conducting and passing quarterly PCI security scans.
PCI compliance software has made it a lot easier to manage in recent years and can sometimes eliminate the need to fill these questionnaires out altogether, but you can also download the questionnaire directly from the council’s site.
A couple of things to note before we dive in:
- Just because you use software that is PCI compliant does not mean you are PCI compliant.
- The most common PCI pain points for businesses occur around the storage and transmission of cardholder data and network security.
- Having proper documentation and consistently scanning is the most effective way to reduce your risk of a breach.
- You will be charged a non-compliance fee if you continue to accept credit cards without being secure.
The two most important steps of the payment process you need to focus on securing are when cardholder data is captured at your point of sale and when it flows into your payment system, but merchant-based vulnerabilities can happen almost anywhere in the card-processing ecosystem, including:
- Card readers and point of sale systems/devices.
- Mobile devices.
- Personal computers or servers.
- Networks and wireless access routers.
- Remote-access connections.
- Payment card data stored in paper-based records.
The security council offers a checklist for staying compliant on their site. These are 12 guidelines supplied by the payment card companies that are designed to be a thorough and achievable defense against consumer information breaches.
We cover all 12 guidelines and more in our PCI compliance checklist.
Understanding PCI DSS compliance levels
Full compliance with PCI DSS version 3.2 became mandatory as of May 2018, and these guidelines change according to the size of your business and cardmember association. Most businesses fall into Level 4, which we’ll cover below.
In the past, the security council noticed that businesses were only checking for PCI compliance once a year, typically in Q4. To combat this behavior, the council now requires merchants to have proof of processes in place at all times.
Security isn’t a once in a while thing; it needs to be a constant effort from businesses, but the PCI compliance validation changes depending on the size of a business.
Here’s a quick overview of the Merchant Levels, and if you’d like to know more, read our complete guide to PCI compliance levels.
Merchant Level 4
Merchant accepts/processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually.
Merchant Level 3
Merchant accepts/processes 20,000-1 million Visa or MasterCard online transactions annually.
Merchant Level 2
Merchant accepts/processes 1 million-6 million Visa or MasterCard online transactions annually.
Merchant Level 1
Merchant accepts/processes over 6 million Visa transactions per year, has a data breach that resulted in account data compromise, and/or is identified as Level 1 by Security Standards Council.
Staying PCI compliant is easier than ever
Partnering with an experienced and trusted payment processor such as Tidal Commerce simplifies the process and ensures that your business is always in compliance with the latest regulations.
Going above and beyond, Tidal Commerce also enrolls each of its merchants into a breach coverage program, which provides up to $100,000 coverage to merchants in the event of a breach. This coverage is rare in the industry, as normally the merchant is the one to suffer if they are breached and did not understand the responsibility or severity.
The sooner you switch your payment processing to Tidal, the better and safer your business will be.