(Updated as of June 10th, 2021)
What is PCI DSS?
If you process payments in any capacity in your business, you've likely heard of PCI DSS. PCI stands for Payment Card Industry Data Security Standards, and it is a critical component of any organization's security program operating in the payment sector.
If you store, process, or transmit credit card information, PCI compliance is required and can provide greater assurance to your customers and partners that you run a robust security program. Violation of PCI requirements can lead to many negative consequences, including fines, damages to brand reputation, and exposed risk to data breaches.
Here’s what you need to know about PCI compliance, and why each is so critical in modern payment processing.
PCI DSS Defined
Who Does PCI DSS Apply to?
How Does PCI DSS Define “Merchant”?
According to PCI SSC:
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing but also is a service provider if it hosts merchants as customers.
PCI DSS Compliance Levels
Every merchant affected by PCI DSS will fall into one of the four merchant levels based on their Visa transaction volume over one year. According to PCIComplianceGuide.org:
Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit, and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed, or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate body does not store, process, or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s transaction volume to determine the validation level.
Here’s how Visa defines various merchant levels:
- Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
- Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
- Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
- Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year
(If a merchant has suffered a breach that results in account data being compromised, they may be moved to a higher validation level.)
PCI Compliance Requirements
- Create and maintain a firewall configuration for the purpose of protecting cardholder data
- Avoid using vendor-supplied defaults for passwords and security parameters throughout your system
- Take steps to protect all stored cardholder data
- Encrypt transmission of cardholder data across both open and public networks
- Use antivirus software and update it regularly
- Develop secure systems and applications and maintain them accordingly
- Restrict all access to cardholder data to only key roles within your business
- Assign a unique ID to each person using a computer within your system
- Restrict all physical access to cardholder data
- Track and monitor any and all access to network resources and cardholder data
- Test security systems and processes regularly
- Maintain a comprehensive security policy and ensure that all personnel are on board
Can You Still Accept Credit Cards Over the Phone Under PCI?
For businesses who accept credit cards over the phone, the introduction of PCI has them asking how they can continue to do so in a PCI-compliant manner. There’s good news and bad news on this topic. The good news is that it’s still possible to take credit cards over the phone or hand-key a customer’s card information. The bad news is that some of what you do may have to change.
According to the PCI Security Standards Council, companies can remain compliant by following these requirements:
Ensuring that payment card data is stored only when necessary and that a disposal procedure is in place.
Limiting the amount of time that card information is kept on the quality assurance (QA)/recording server and customer relationship management (CRM) solution databases (both voice and screen recordings); it may be necessary for corporate governance, legal and QA departments to work out a compromise between what is needed to adhere to the PCI DSS and regulatory compliance requirements. However, note that PCI DSS does not supersede local or regional laws, government regulations, or other legislative requirements.
Never allowing for the card validation code (referred to as CAV2, CVC2, CVV2, or CID) to be stored in digital audio or video format (e.g., WAV, MP3, MPG, etc.). If the QA/recording solution cannot block the audio or video from being stored, the code must be deleted from the recording after it is stored. If a call-center manager feels that there may be difficulties with achieving this, they must discuss this with their acquiring bank.
The purpose of PCI DSS has been to mitigate the risk associated with shared customer cardholder information and reduce fraud rates. While there is some concern that organizations who are taking customer payment card details over the phone may be recording full cardholder details to comply with the requirements put forth by other regulatory bodies, there are ways to avoid exposing cardholder data to unnecessary risk.
Namely, follow the tips above, and be sure that you're complying with the stipulation that three- and four-digit card verification codes cannot be retained after you authorize the card. Additionally, remember that full primary account numbers can also not be kept without further protection efforts. You can check out our PCI DSS Compliance Guide to read more about what you can do to comply with this stipulation.
What Happens in Cases of Non-Compliance?
1. Fines and Fees
When you fail to comply with PCI guidelines, you risk penalties ranging from $5,000 to $10,000 per month, depending on both the severity and length of your non-compliance. According to PCI Compliance Guide:
The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is essential to be familiar with your merchant account agreement, which should outline your exposure.
You may also incur additional costs, like client compensation, forensic investigation, and remediation fees, or increased bank rates.
During non-compliance, payment brands may place restrictions on your organization’s ability to process card transactions. In some severe cases, your servicer may terminate your transaction services completely, until you reinstate compliance.
3. Data Breaches
Finally, falling out of compliance with PCI creates a risk of data breaches, which can have a pronounced negative impact on your brand reputation and security. Often, data breaches create pronounced public backlash and lost customers, as well as ongoing reputation issues. Here’s what The PCI Security Standards Council has to say about the impact of data breaches:
“The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.”
In addition to the issues listed above, companies who fall out of PCI compliance may also face the following:
- A decrease in consumer confidence, which pushes customers to other companies
- Declining sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher costs of compliance in the future
- Mounting legal fees, settlements, and judgments
- Fines and penalties
- Termination of the ability to accept payment cards
- Lost jobs (CISO, CIO, CEO, and dependent professional positions)
- Going out of business
As you can see, the cost of non-compliance is high, and it’s not worth it for most brands.
Quick Tips for PCI Compliance
- Buy and use only approved PIN entry devices at your point-of-sale
- Buy and use only validated payment software at your POS or website shopping cart
- Do not store any sensitive cardholder data in computers or on paper
- Use a firewall on your network and PCs
- Make sure your wireless router is password-protected and uses encryption
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices
- Teach your employees about security and protecting cardholder data
- Follow the PCI Data Security Standard
While remaining PCI compliant is essential, it’s also accessible. By following the quick tips laid out above, you can keep your company in good standing with PCI DSS, and ensure that your systems are secure and trustworthy. By becoming and staying compliant, you position yourself as part of the solution - joining the global fight against credit card data compromise and fraud.Additionally, maintaining PCI security compliance is just smart business. Not only do such standards help brand you as a trustworthy and reliable payment card processor, but you stand out as one of the growing numbers of companies concerned about the security of their customers' most sensitive payment information, which draws more clients to your brand and helps keep them there for the long-term.
Ensuring PCI Compliance at All Business Phases
Maintaining PCI compliance is one of the best ways to protect your customers and clients and to prevent unneeded fees and fines. Despite the importance of PCI compliance, though, it can be difficult to ensure. Fortunately, you can download our PCI DSS Compliance Guide for a deep dive into the world of PCI compliance, including the following topics:
- PCI DSS Overview and History
- Risks of Non-Compliance
- Understanding Merchant Levels
- Stakeholder Roles and Responsibilities
- PCI DSS Requirements
- Scoping and Descoping Methods
- PCI Audit Process
- Milestones for Prioritizing PCI Compliance Efforts
If you're looking for a way to easily build, manage and report your cybersecurity program based on PCI DSS or 12+ other standards, Apptega can help. Watch this short video demo to learn how you can simplify the complexity of PCI DSS and easily document and report on your organization’s change and configuration management as part of its overall plan.