Editor’s Note: This blog entry was originally published on July 18, 2018, and was updated on April 28, 2020.
We get a number of questions from our clients about PCI compliance - that's expected. Unexpectedly, we also receive questions from our clients wondering if PCI compliance is "real" or only something for which to charge them extra. Questions like that represent a significant misunderstanding about PCI compliance.
In this guide, we cover what you need to know about PCI compliance, including:
- The Basics of PCI Compliance: Definitions
- PCI Compliance Levels
- Who Needs to Be PCI Compliant?
- How to Become PCI Compliant
- The Cost of Noncompliance
- How Should Developers Assure PCI Compliance?
The Basics of PCI Compliance
What Does PCI Stand For? PCI DSS?
"PCI" stands for "Payment Card Industry" while "PCI DSS" stands for "Payment Card Industry Data Security Standards."
What is PCI Compliance?
PCI compliance refers to the operational and technical standards that all businesses who process, store, or transmit credit card data must follow. These standards help to ensure that cardholders' credit card data is protected once it is given.
What is PCI DSS?
PCI DSS is the data security standard for the payment card industry and is maintained by the PCI Security Standards Council (PCI SSC). This standard is presented as the minimum criteria merchants should strive for in order to avoid data breaches.
PCI Compliance Levels
There are four levels of PCI compliance, based on the number of credit card transactions a merchant processes in a year. Each level requires merchants to take different steps to achieve compliance.
The four PCI compliance levels are:
- Level 1: Merchants who process over 6 million card transactions per year
- Level 2: Merchants who process between 1 million and 6 million transactions per year
- Level 3: Merchants who process between 20,000 and 1 million transactions per year
- Level 4: Merchants who process less than 20,000 transactions per year
Who Needs to Be PCI Compliant?
In short, all of your customers processing transactions must be PCI compliant.
It's important for customers to know their information is safe when they use their debit or credit cards to purchase products or services. The number of payment security events in recent years has grown, resulting in the absolute necessity that sensitive data is protected.
Doing business should be based on trust (between businesses and their customers) and PCI compliance helps improve the level of security at the business level while protecting and enhancing the trust you build with your customers. Technology is developing so fast that there are a growing number of fraudulent activities and few businesses are immune regardless of their size. That's why every merchant processing transactions must be PCI compliant.
How to Become PCI Compliant
Becoming PCI compliant involves undergoing a PCI auditing procedure to meet the requirements of the mandatory PCI Data Security Standard. PCI compliance requirements apply to both the administrative and technological side of running a business and they are updated regularly. PCI compliance is an ongoing process and responsibility, so a security strategy needs to be part of your business.
Requirements dictate regular analysis of your processes and technology and routine updates to ensure that all vulnerabilities that could expose cardholder data are discovered and addressed. The process to become PCI compliant, and then to maintain compliance, can be somewhat daunting, without assistance. But the consequences of noncompliance are worse.
An important step to ensuring PCI compliance is to know and understand the six principles and 12 requirements of PCI DSS:
The 6 Principles of PCI DSS
The principles of PCI DSS are broken down into six goals which are expanded to cover the 12 requirements of the PCI-DSS.
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
The 12 Requirements of PCI DSS
The requirements of PCI DSS are both operational and technical, and the core focus of these rules is always to protect cardholder data.
These standards apply to merchants and ISVs as well as anyone that stores, processes, transmits, or otherwise manipulates cardholder data.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The Cost of Noncompliance
Can businesses get hit with PCI noncompliance fees? While PCI noncompliance is not illegal, there are financial consequences.
The initial financial consequence of not being PCI-compliant can range from $5,000 to $500,000, in the form of a fine which is levied by banks and credit card institutions.
Banks may levy this fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. The following table is an example of a time-cost schedule which Visa uses.
|Month||Level 1||Level 2|
|1 to 3||4 to 6||7 and on|
|$10,000 monthly||$50,000 monthly||$100,000 monthly|
|$5,000 monthly||$25,000 monthly||$50,000 monthly|
How Should Developers Assure PCI Compliance?
Developers should make sure their payment processor offers a PCI compliance assistance program for their merchants, such as EdgeShield and PCI ASSURE from Global Payments Integrated.
EdgeShield is the Global Payments Integrated answer for our clients - an advanced security services bundle intended specifically to protect credit card data, prevent counterfeit fraud, and enhance payment security. Through a unique collection of complementary security solutions, EdgeShield delivers one of the industry’s most secure payments platforms. When integrated into systems that accept payments, the bundle protects credit card data while at rest and in transit. EdgeShield is built into the Global Payments Integrated processing platform.
The EdgeShield security bundle also provides a solution to help our clients become PCI compliant and maintain their compliance. Global Payments Integrated’s PCI ASSURE program is available to help clients simplify PCI compliance with online access to self-assessment questionnaires, network scans, a breach reimbursement program, and custom security profiles generated from the specific business’ individual processing activity.
Don’t Ignore PCI Compliance
If your processing system is not PCI-compliant, you’re paying monthly noncompliance fees as a result. Even though PCI compliance can seem complicated, the consequences of noncompliance are often much worse. PCI compliance is just sound business if you process payments.
Contact Global Payments Integrated today to learn more about how we can help with PCI compliance.