The Payment Card Industry Data Security Standard (PCI DSS, or PCI for short) is a set of rules and processes that are designed to protect cardholders' sensitive data from data breaches and fraud. Basically, it tells merchants how to handle their customers' credit card information safely and securely, so it doesn't fall into the wrong hands.
The PCI DSS was first introduced in the USA in December 2004. The 5 major credit card companies that created the standard then formed the Payment Card Industry Security Standards Council (PCI SSC) as the governing body. The PCI SSC oversees the administration and further development of the PCI DSS.
The standard continues to evolve and is currently on version 4.0, released in March 2022.
The PCI DSS applies globally to all entities that process, transmit or store cardholder data, no matter the size or number of transactions.
In layman's terms, if you are an organization or company that handles credit or debit cards with the logos of at least one of the 5 member companies, the PCI DSS applies to you. Acquiring banks, online and offline merchants, and service providers all need to comply with PCI.
It isn't, however, a one-size-fits-all situation. There are 4 levels of compliance that do indeed depend on the number of the transactions processed by a company.
Other criteria are taken into account, too, like if a business has experienced a data breach before or the manner in which they accept card payments (only offline vs. an online payment gateway).
|
Each card issuing company has its own table with exact criteria for each level, but in general, it looks like this:
Each level will have different requirements for PCI validation and reporting – the larger the business, the more burdensome the requirements. |
The PCI DSS is a comprehensive set of guidelines that are meant to protect credit card data from being leaked or stolen from a merchant or organization. There are 12 general requirements. We'll talk about those below.
It's important to realize that keeping up with the PCI DSS is a continuous effort, not a one-time hurdle. To maintain compliance, assessments and reports are submitted annually, and system scans are performed even more often.
The specific testing and validation procedures vary from level to level.
In general, all organizations subject to PCI DSS guidelines are required to complete an annual self-assessment. This will indicate how secure their card processing and storing practices are.
The assessment form can be as short as 9 pages and relatively easy to complete, or it can be an 80-page undertaking that requires third-party assistance. There are only 'yes' and 'no' questions on the forms, which may seem simple, but the technical and increasingly demanding nature of the questions can lead to uncertainty. Businesses are also required to address any 'noes' before submitting the form, which adds another level of difficulty.
Other PCI validation requirements might include providing proof of passing an approved vulnerability scan or completing an attestation of compliance.
Even though complying with the PCI DSS can be quite a burden on a company, it is basically a list of (mandatory) best practices that aren't too far-fetched. Each of the 12 requirements are then elaborated into 3 sections: definition, testing process and a purpose explanation.
The 12 requirements of PCI are, in brief:
|
If a company is subject to PCI but isn't compliant or violates the terms set out in their contract, they will face consequences. These can range from penalties imposed by credit card companies to natural consequences.
What are some of the risks of PCI non-compliance?
A company can be charged a "PCI non-compliance fee" of hundreds of thousands of USD per month depending on the size of the business. No matter how you look at it, this fee is a recurring fine. It will be charged every month until the business complies with the PCI standards.
Naturally, if you're not complying with the PCI standards, you increase your company's risk of data breach. Even though the PCI requirements don't guarantee that a business's cardholder data will remain safe from attacks, they do significantly lower the chance of a successful breach.
A forensic audit will need be carried out at the expense of the company that was compromised in order to assess the cause of the data breach.
If customer credit card data does get compromised, the company will incur additional costs such as compensating customers, liability costs or fines per each cardholder's data that has been stolen or endangered and possible increased rates charged by banks or credit card companies after the breach.
It is not unheard of for a lawsuit to follow a security breach, in which case the costs could multiply quickly.
Any company that loses or endangers cardholder data will suffer in their customers' eyes. The inevitable damage to a brand can make earning back customers' trust an impossible task. Many businesses have gone out of business following a data breach.
Ignoring the technically more complicated requirements of the PCI DSS is an obvious example of breaking compliance. But there are instances where a violation is purely unintentional. Here are some examples:
A lot of times, the lack of understanding of or attention to the PCI guidelines is all it takes to not implement the processes correctly, or in some cases at all.
Making sure a company's personnel is properly trained on PCI DSS is an important part of the process as well.
No. The governing and administering entity for the PCI DSS is the PCI SSC. Requirements of the PCI DSS are enforced based on contracts between a business and its bank and credit card company.
Some states in the USA have incorporated the PCI DSS into their state laws, mostly in the sense that companies that are PCI DSS compliant are shielded from liabilities in the case of a data breach.
In Europe, the PCI DSS is a widely-used standard that has been promoted more and more in recent years. Just like in the US, the PCI is not mandated by law.
Find out more about how Safetica helps to comply with PCI-DSS