Everything You Need to Know About PCI Compliance

What is PCI compliance?

PCI compliance, or Payment Card Industry Data Security Standard (PCI DSS) compliance, is a set of security standards and requirements aimed at protecting credit card data.

Why is being PCI compliant important?

• Protects sensitive data
• Complies with legal requirements
• Builds and maintains customer trust
• Avoids financial losses
• Preserves your company's reputation
• Ensures continued access to payment processing services

Who needs to be PCI compliant?

Adhering to PCI compliance is necessary for any organization that handles credit card payments or processes, stores, or transmits credit card data. As such, merchants who accept card transactions — regardless of method (i.e. eCommerce, in-store, over-the-phone, etc.) must meet and maintain PCI compliance.

What do the different levels of PCI compliance mean?

While all card-accepting merchants — regardless of size/number of transactions — are required to maintain PCI compliance, the level of compliance each merchant is responsible for is dictated by transaction volume. The larger the business, the higher the validation level, resulting in more stringent compliance requirements:

• ‍Level 1: Merchants processing more than 6 million card transactions annually ‍
• Level 2: Merchants processing 1 million to 6 million card transactions annually ‍
• Level 3: Merchants processing 20,000 to 1 million eComm card transactions per year and fewer than 1 million card transactions annually ‍
• Level 4: Merchants processing fewer than 20,000 eComm card transactions per year and up to 1 million card transactions annually

The requirements for each level are mostly the same, with the main difference being the number of requirements that must be met, as well as the level of detail required in the documentation.

Please Keep in Mind: Merchants who experience a security breach that compromises cardholder data may be advanced to a higher validation level. For example, the card brands may decide to move a Level 2 merchant who suffered a breach to Level 1. In this case, the merchant would be responsible for a more rigorous level of compliance.

What are the categories of PCI compliance?

Regardless of compliance level, there are twelve categories of PCI DSS requirements that all card-accepting merchants must meet. Failure to do so may result in financial penalties imposed by the card brands. The categories (listed below) are composed of more than 275 questions/requirements that are dependent upon the compliance level the merchant falls under.

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt the transmission of cardholder data across open, public networks
• Protect all systems against malware + regularly update anti-virus software or programs
• Develop and maintain secure systems and applications
• Restrict access to cardholder data by authorized personnel, systems, and processes
• Identify and authenticate access to system components
• Restrict physical access to cardholder data
• Track and monitor access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security for all personnel
  

How do you become PCI-compliant?

In general, a business must do three things to become PCI-compliant:

• Meet PCI DSS requirements
• Complete an assessment that demonstrates your business systems and practices are secure — small businesses typically can perform a self-assessment
• Perform a network scan on the network you use to process payments — this requires the help of an outside party; in some cases (like with Propelr), your payments partner will provide this service

Are there risks of non-compliance?

While the PCI DSS is a set of standards, not laws, almost every state has enacted legislation that requires merchants to notify their customers of security breaches. Both state and federal privacy regulations also forbid merchants from storing unencrypted cardholder data.

Did you know? Cardholder data refers to personally identifiable information (’PII’) associated with the owner of a debit, credit, or prepaid card. This includes PIN numbers, social security numbers, card numbers, and more.

Failure to comply with PCI standards can result in costly consequences — including fines, legal fees, card replacement costs, forensic audits, decreases in stock equity, reputation damage, and loss of business.

Where do you go for assistance with PCI compliance?

Payment processors don’t have to provide compliance assistance, so you should make a concerted effort to find a full-service partner, like Propelr, to help simplify your compliance needs to ensure you’re meeting all requirements. A true payments partner can help reduce your risk of exposure and act as your security advisor by identifying system vulnerabilities that could be targeted by cybercriminals. Your payments provider should also be well versed in the latest compliance rules, as well as the various payments technologies that help decrease — or even remove — your systems from PCI scope.

‍