Payment Card Industry Data Security Standards (PCI DSS) are a set of standards overseen by the Payment Card Industry Security Standards Council (PCI SSC) to help protect your business from data theft and fraud. It is imperative to adhere to these standards if you accept online, phone or card machine payments.
There are 12 requirements that you must meet in order to be PCI DSS compliant. These 12 requirements are broken down into the below goals which are:
Build and maintain a secure network
Protect cardholder data
Create a vulnerability management program
Implement strong access control measures
Monitor and test networks regularly
Develop an information security policy
These standards are in place to ensure transactions are trusted and secure for the hundreds of millions of people around the world who use cards on a daily basis.
Your business is required to adhere to the regulations at all times and must keep up to date with any updates that may occur. For further details on what PCI DSS is and all of the goals and regulations, see our “What is PCI?” article.
Who is required to be PCI Compliant?
As mentioned above any business, large or small, that stores, processes or transmits cardholder data must be PCI compliant in order to protect both your customers and your business from costly data breaches and fraud.
However, the PCI requirements do vary based on the number of transactions that are made at your business over 12 months and how the payments are processed, whether it be online, over the phone or using a card machine. These are broken down into four PCI compliance levels.
It’s worth contacting your acquirer (merchant bank) or PSP if you need help with compliance validation.
For a more detailed description of who is required to be PCI DSS compliant and the requirements per level, see our ‘Who is required to be PCI compliant?’ article
How do I get PCI Certified?
If you are looking at becoming PCI compliant there are several steps you need to take to ensure you are certified.
The level your business sits in will dictate how to approach becoming certified.
Businesses must complete an annual Report on Compliance (ROC) - an external audit performed by a Qualified Security Assessor (QSA) - a quarterly network scan by an Approved Scanning Vendor (ASV) and an Attestation of Compliance Form
Businesses must complete an Annual Self-Assessment Questionnaire (SAQ), a quarterly network scan and the Attestation of Compliance Form.
Bear in mind it’s worth working with a payment processing provider to help you with the correct compliance tools and resources before you begin and to make it a smoother process.
For further information on how to get PCI certified, see our ‘How Do I Get PCI Certified?’ article.
Failure To Comply
It is mandatory in most countries around the world for businesses to be PCI compliant. Failing to comply with these regulations can have a devastating impact on your business in many ways:
Substantial fines and penalties, even for smaller businesses
Loss of customers
Legal costs, settlements and judgements
The risk of losing your merchant account, meaning you won’t be able to accept any credit card transactions in the future.
Loss of jobs
Going out of business
Being PCI DSS compliant can help ensure the rest of your businesses infrastructure is secure, by tightening up security procedures to ensure greater protection.
For further information about the consequences of failing to comply with PCI standards, see our ‘PCI - Failure To Comply’ article.