What is PCI compliance? Payment Card Industry Data Security Standards (PCI DSS) compliance regulates any business that collects cardholder data to ensure the security of financial and personal data. The overall objective of PCI compliance is to propagate data security techniques and mitigate the risk of credit and debit card loss.Why is maintaining #PCI compliance important for organizations? Click To Tweet
When you bank, shop or have to supply your payment information for a service you are supplying an organization with sensitive cardholder information. The organizations collecting, processing or transmitting that data from you are required to protect the safety of your cardholder data through adequate security framework and comprehensive policies.
Visa, Mastercard, American Express, Discover, and JCB joined forces in 2004 to construct the Payment Card Security Standards Council (PCI SSC) and PCI DSS was the byproduct. PCI DSS version 3.1 is the current standard in circulation, it was updated in April 2015.
Why is PCI Compliance Important?
Without the regulation of PCI, the sensitive PII and PIFI (personally identifiable financial information) supplied by consumers would be exposed, unprotected and vulnerable to theft. These effects negatively impact consumers (identity theft or loss of funds) as well as damage a company’s brand, turnover rate and place them in a state of a data breach.
The vast majority of breaches result in the misuse of PII and/or PIFI. Think of the Equifax breach that exposed both types of data which affected over 146 million individuals. Or the recent PDQ data breach which directly exposed credit card information. Needless to say, another compliance regulation circulating that works to provide security for cardholder data is significant.
Who Does PCI Compliance Apply To?
This global data security regulation is not a federal law, therefore, violation will not place an individual in trouble with the law.Rather the individual can be subjected to fines and/or stripped of their ability to process payment cards in their business.
- Any business that accepts credit or debit cards as payment (regardless of how the payment is processed)
- Any service provider that stores payment card data (third parties included)
- Any service provider that processes or transmits card data on behalf of any business is required to adhere to PCI regulations.
Even business sectors you may not believe are liable may be responsible under PCI DSS. For example, a dentist office that collects, maintains and/or transmits credit or debit card to pay for services is liable under PCI DSS as well as any insurance company or service provider (even software) utilized in the billing process.
The concept here is that any organization that collects cardholder data is susceptible to being targeted by a hacker; any business of any size within any sector has that risk.
What PCI Compliance Level Is My Business?
PCI compliance is categorized into four levels that filter the number of transactions an organization does on a yearly basis. The greater the amount of transactions corresponds to a stricter set of cardholder data security requirements.
Level 1: Over 6 million Visa/Mastercard transactions are processed per year. Physical on-site reviews are required every year by an internal auditor as well as a network scan by an approved scanning vendor (ASV).
Level 2: 1 to 6 million Visa/Mastercard transactions processed per year. A PCI DSS Self Assessment Questionnaire must be conducted yearly along with a quarterly network scanning conducted by an ASV.
Level 3: 20,000 to 1 million Visa/Mastercard transactions processed per year. A PCI DSS Self Assessment Questionnaire must be conducted yearly along with a quarterly network scanning conducted by an ASV.
Level 4:Less than 20,000 Visa/Mastercard transactions processed per year and all other companies that process up to 1 million transactions relating to Visa per year. A PCI DSS Self Assessment Questionnaire must be conducted yearly along with a quarterly network scanning conducted by an ASV.
These levels are key to understanding what cardholder security duties apply to your organization.
Let’s explore the policies and actions necessary to become and remain compliant next.
6 Steps to Maintaining PCI Compliance
PCI has outlined a set of goals and requirements that organizations can adapt to be compliant with the regulation:
PCI Data Security Standard for Merchants & Processors
- Build and maintain a secure network
- Install and maintain a firewall that is configured to protect cardholder data
- Change vendor-supplied password defaults for systems and security parameters
- Protect cardholder data
- Protect stored data
- Encrypt transmission of data across open, public networks
- Maintain a vulnerability management program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Enforce strong access controls
- Restrict access to cardholder data by a business critical need-to-know basis
- Assign unique IDs to each person with computer access
- Restrict physical access to cardholder data
- Monitor and test network regularly
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an information security plan
- Maintain a policy that addresses information security
Now that you know the steps to be compliant with PCI, let’s take a look at what penalties may be impacted due to a violation.
What Are The Penalties For Violating PCI Standards?
The penalties for failing to comply with PCI regulations take into account the timespan a business was in a state of noncompliance to configure the severity of fines. The time/cost schedule and forensic research of the violation determine the range of financial impacts that the acquiring bank can assign to the organization. These costs vary from $5,000 to $500,000.
It is important to remember that a company can have cardholder data stolen, abused and leaked at any time while maintaining full PCI compliance. If a business is found to have been complaint fully when cardholder data was breached they may be subjected to the following consequences per PCI Breach Consequences:
- $50-$90 fine per cardholder data compromised
- Suspension of credit card acceptance by a merchant’s credit card account provider
- Possible civil litigation from breached customers
Other damaging effects from a data breach such as brand damage and loss of customer base are expected as well.
We hope that this PCI guide is a useful tool for your organization in your journey to achieving and maintaining PCI compliance. Optimize your company cardholder data security strategy to satisfy the goals and requirements necessary to protect consumers, avoid an audit and stay in compliance.