What you need to know about PCI compliance
What is PCI Compliance?
PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS) that ensures that businesses are able to safely and securely accept, store, process, and transmit credit card information throughout the course of completing a customer transaction. These regulations were created by Visa, MasterCard, Discover Financial Services, JCB International and American Express in 2004 in an effort to reduce the likelihood of data theft and fraud.
Do I need to be PCI compliant?
If your business processes credit card payments, regardless of your size, you need to prove that you are PCI compliant. These standards apply to card readers, point-of-sale systems, store networks, wireless access routers, card data storage and transmission, card data stored on paper records, online payment applications, and online shopping carts.
Risks of Not Being PCI Compliant
Being PCI compliant is not a law, however, if your business does not comply with these standards, it could result in data breaches and the subsequent consequences:
- Damage to reputation, subsequent loss of customers
- Lost sales
- Losses due to fraud
- Increased compliance costs
- Legal costs, settlements, judgements
- Fine and penalties
- Expense of issuing new cards, forensic audits, investigations
- Inability to accept card payments
- Lost jobs
- Going out of business
Key Points to Know About PCI Compliance
- Data may be stolen from several places throughout a transaction:
- Card readers
- Payment system databases
- Paper files and written notes
- Cameras recording the entry of data
- Your business’ network
- There are four levels of requirements for compliance, depending on the number of transactions your company processes each year, your history of data breaches or attacks, and your status according to a card association. It is important to know which level your company falls into:
- Level 1businesses process over 6 million card transactions each year across all regions and through all channels (card present, card not present, eCommerce). These businesses must do the following to remain compliant:
- Run quarterly network scans by an Approved Scanning Vendor (ASV)
- Create an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
- Submit an Attestation of Compliance Form
- Level 2businesses process 1 to 6 million card transactions each year through all channels and must do the following to remain compliant:
- Fill out an annual Self-Assessment Questionnaire (SAQ) and obtain evidence of passing
- Run quarterly network scans by an ASV
- Complete an Attestation of Compliance Form
- Submit SAQ, ASV and Attestation of Compliance form to your acquirer
- Level 3businesses process 20,000 to 1 million card transactions each year exclusively through eCommerce processing methods and must do the following to remain compliant:
- Fill out an annual SAQ and obtain evidence of passing
- Run quarterly network scans by an ASV
- Complete an Attestation of Compliance Form
- Submit SAQ, ASV and Attestation of Compliance form to your acquirer
- Level 4 businesses process up to 1 million card transactions each year through all channels, with no more than 20,000 of those transactions completed via eCommerce; or is a business that completes less than 20,000 card transactions exclusively via eCommerce. These businesses must do the following to remain compliant:
- Fill out an annual SAQ and obtain evidence of passing
- Run quarterly network scans by an ASV
- Complete an Attestation of Compliance Form
- Submit SAQ, ASV and Attestation of Compliance form to your acquirer
- Level 1businesses process over 6 million card transactions each year across all regions and through all channels (card present, card not present, eCommerce). These businesses must do the following to remain compliant:
- The cost to become PCI compliant and to maintain that compliance ranges from several hundred to several thousand dollars annually, depending on the size of your company.
- Level 1:$50,000+ per year
- Level 2:$10,000+ per year
- Level 3:$1,200+ per year
- Level 4:$720+ per year
How to Become PCI Compliant
The following are the PCI Data Security Standards to protect the safety of data:
- Install and maintain a firewall configuration.
- Use unique system passwords, not vendor-supplied defaults.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data on a need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to cardholder data and network resources.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.