Ignoring PCI compliance could cost you more than you think.
Mo’ money, more problems? If you work in an industry where you handle credit card data, you could find yourself in a lot of trouble if you ignore PCI compliance. But what exactly is PCI compliance and who needs to worry about it? We’ve put together your guide to answer all the burning questions you have.
Looking for a specific topic regarding PCI compliance? Use the links below to jump ahead:
Payment Card Industry (PCI) compliance is a set of regulations developed to ensure that the credit card industry is properly managing and securing customer data. Before it was formed in 2006, there was no clear industry standard that all credit card companies had to follow, and that's a problem for any company that deals with big data.
Before we go any further, let’s dig into some quick definitions to help keep things straight:
PCI – The Payment Card Industry, also known as your major credit card companies
PCI SSS – The Payment Card Industry Security Standards Council that is in charge of creating PCI compliance regulations
DSS – Data Security Standards, or the regulations being placed on anyone who has to follow PCI compliance
PCI DSS – Payment Card Industry Data Security Standards, the more common way of referring to the standards set for anyone who has to follow PCI compliance
In 2006, Visa, MasterCard, Discover, and AMEX established the PCI Security Standards Council (PCI SSS) to help regulate the credit card industry and establish clear operating guidelines for how consumer credit card information should be handled.
As with many compliance programs, PCI has seen several changes over the years. The most recent version is known as PCI DSS 3.2. It was first introduced in 2016 and officially replaced the old version of PCI on February 1, 2018.
Who oversees PCI compliance?
There are two regulatory bodies that oversee PCI compliance:
The PCI Security Standards Council (PCI SSC) which designs the specific Data Security Standards (DSS) that are required of all merchants regardless of revenue and credit card transaction volumes.
The credit card companies Visa, MasterCard, Discover, and AMEX, who enforce consequences for PCI compliance violations
Basically, the PCI SCC is in charge of designing and implementing the standards for compliance. Any company that doesn’t adhere to them will have to deal with repercussions as set by the credit card companies themselves.
Who needs to stay PCI compliant?
In short – any merchant that processes, stores, or transmits credit card data is required to be PCI compliant.
All of the major credit card companies came together and decided that merchants and service providers who handle consumer credit card information must prove that they are appropriately protecting that information.
This standard applies to all businesses, regardless of size. If you run a business and you handle credit card information from customers, you must adhere to PCI compliance regulations. It might be time to hire a chief compliance officer. Every business falls into a PCI compliance level, and each level requires a different standard of compliance difficulty.
There are four PCI compliance levels:
Level 1 is reserved for large enterprise corporations and has the most rigorous PCI compliance requirements. Nearly all small to medium-sized businesses will classify in the lower two levels. This does not mean that they can take it easier than larger enterprise corporations. Everyone is equally responsible to keep PCI compliance in the eyes of the PCI Security Standards Council.
But wait, does that mean that independent sellers need to create their own PCI compliance program?
Probably not. Most independent sellers use a vendor like Square, Etsy, or PayPal to conduct their business. These are known as payment gateway software solutions. These platforms are already held to PCI compliance standards, which means your sales are covered when you use their platform.
The requirements that the PCI SSC set forth for vendors to follow as known as the PCI DSS. They are comprised of 12 compliance points and anyone who is looking to stay compliant with PCI standards needs to follow them.
How do you comply with PCI DSS?
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update antivirus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
It’s not enough to just say you’re following PCI compliance. Every company is required to complete an annual PCI compliance validation check. This shows that you’re following the requirements as they are written and not jeopardizing any client data.
There are several steps to completing a PCI compliance validation. Lucky for you, we’ve put together a handy checklist to make it easier.
Why could ignoring PCI compliance cost you?
A common misconception about PCI compliance is that it’s required by law. It’s not.
You might think that means that PCI compliance is optional, but that’s not the case. Because all of the major credit card companies have decided PCI compliance is required, it’s almost impossible to operate a business and ignore it.
So, what happens if you ignore PCI compliance?
The credit card companies can levy fines against your bank, which in return get passed down to the merchant
Your bank can slap additional penalties on top of any fines levied by the credit card companies
Your company may get jumped up a PCI compliance level, which would lead to stricter regulations, closer monitor, and more red tape
PCI compliance violation fines can range anywhere from $5,000 to $100,000 a month depending on the severity of the breach.
Don’t break the bank by breaking the rules
You can’t ignore PCI compliance away. Either you adhere to the requirements or continue to get slapped with hefty fines and stricter rules. Instead, find the right way to stay compliant.
Interested in staying complaint in other aspects of your business? Learn how G2 Track can help.
Lauren Pope is a Content Marketing Manager at Oracle and a former content marketer at G2. You can find her work featured on CNBC, Yahoo! Finance, the G2 Learning Hub, and other sites. In her free time, Lauren enjoys watching true crime shows and singing karaoke. (she/her/hers)