December 23, 2019//Tony HowlettLast Updated: November 19, 2020
For any business accepting credit card payments, PCI DSS compliance should be at the top of its must-do list.
The Payment Card Industry Data Security Standard is a set of rules established to create a secure environment within all companies that accept, process, store, or transmit credit card information.
The standard was launched in 2006 by the Payment Card Industry Security Standards Council, an independent group set up by the major payment card companies — Visa, MasterCard, American Express, Discover, and JCB. The council manages and administers PCI DSS, but the card companies enforce compliance. Adherence to the standard was optional at first, but has become mandatory for any company accepting payment cards. Any merchant wishing to take payment cards must attest they are PCI DSS compliant, or they risk both penalties and fines. The standard has gone through several updates and is now on version 3.2.1.
Compliance can be extraordinarily effective in protecting cardholder data and breaches in general. “Our data shows that we have never investigated a payment card security data breach for a PCI DSS compliant organization,” Rodolphe Simonetti, global managing director for security consulting at Verizon, said in a statement about his company’s 2019 Payment Security Report.
For compliance purposes, the size of a business doesn’t matter. Any enterprise that accepts, transmits, or stores the data of cardholders must comply with PCI requirements, even if you use an external provider and don’t store cardholder data in-house. However, organizations that process 100% via third parties are eligible to use a much shorter compliance checklist (see below).
Although all businesses must comply with PCI DSS regardless of size, size does play a role in how businesses are classified for compliance purposes. There are four such merchant levels based on transaction volumes over a 12-month period.
Any merchant, regardless of how many payment card transactions they process, may be moved to a higher level if they suffer a data breach.
In addition to the levels, there are also nine SAQs, which are used to document an organization’s compliance. Their lengths vary from 22 to 329 questions. Which SAQ is right for a business depends on how it processes payment cards and cardholder information. For example, “card-not-present” merchants would probably fill out SAQ A, while merchants using approved point-to-point encryption devices, with no electronic card data storage would fill out an SAQ P2PE.
To be in compliance with the PCI DSS, businesses must meet 12 security controls. They require entities handling credit card data to do these things:
In some cases, compensating controls can be substituted for PCI controls, but they must be approved by a PCI Qualified Security Assessor.
If cardholder data is compromised in a data breach, a business can be subjected to $50 to $90 per cardholder in fines. Worse, though, the business’s relationship with its payment processor and the bank may be terminated. Small businesses can expect to pay around $300 a year to maintain their PCI compliance, while larger enterprises can pay $70,000 or more to maintain their compliance.
Fines and costs, though, shouldn’t be a business’s prime motivators for complying with the PCI DSS. The price tag for non-compliance can be much higher. With the global average of a data breach this year pegged at $3.9 million, it’s more important than ever for PCI DSS compliance to become a top priority for any business dealing with payment card data.
PCI DSS is relevant for most industries. To find out what your company needs to do to comply with this payment processing regulation, check out our PCI compliance checklist.