What Is PCI Compliance?
In 2006, American Express, Visa, Mastercard, Discover, and JCB joined forces to establish the Payment Card Industry Security Standards Council (PCI SSC). Each of these card networks already had separate security protocols in place, but they all realized that:
- Creating a more uniform set of guidelines was necessary to keep consumers, businesses, and banks safe from fraud and abuse.
- Many of the older security standards initially designed for brick-and-mortar retailers were ill-equipped for the online world.
The card networks introduced newer PCI Data Security Standards (DSS) for the entire industry. As a card-accepting merchant, you are expected to “comply” with these guidelines. In the sections below, you’ll learn the guidelines are regularly updated to keep up with the new and evolving fraud types.
In this article, we’ll address the following:
- Why is PCI compliance important?
- Is PCI compliance mandatory?
- Who is subject to PCI DSS?
- What are the levels of PCI compliance?
- How do companies become PCI compliant?
- What is the latest version of PCI DSS?
Why Is PCI Compliance Important?
Credit and debit cards only work if all stakeholders have confidence in the integrity of these payment options.
This trust is obviously important for the consumers who use plastic to shop. It’s also important for businesses that wish to attract card-carrying customers to their stores. In addition, merchants and banks risk losing money if their customers are frequently victims of credit card fraud, this is why PCI compliance is so important.
Requiring that all stakeholders adhere to the same data security guidelines enables customers, retailers, and banks to conduct business with confidence. This peace of mind is particularly important given that tech-savvy criminals can steal electronic payment data faster and easier than ever before.
Is PCI Compliance Mandatory?
Technically speaking, PCI compliance isn’t a legal requirement, so you won’t receive a nasty letter from the Federal Trade Commission. However, it is required to remain in good standing with the card networks and banks. Failure to adhere to the security guidelines may result in:
- Penalties ranging from $5,000 to $100,000 per month
- Lawsuits, legal fees, and punitive damages in the event of a breach
- Out-of-pocket expenses to cover fraudulent losses
All of this is on top of the increased risk of fraud your business will almost certainly face in the absence of PCI compliance. Not only will you have to cover monetary damages directly, but increased fraud will erode consumer confidence in your business.
So yes — PCI compliance requirements are mandatory.
Who Is Subject to PCI DSS?
Any organization that captures, processes, stores, or transmits credit or debit card data of any kind is subject to PCI DSS. This, of course, applies to brick-and-mortar retailers and e-commerce merchants, but it also includes:
If credit card data ever enters your organization, you have a responsibility to safeguard that data from fraud and abuse. This is true even if you only “store” payment information to manage a loyalty program.
What Are the Levels of PCI Compliance?
PCI compliance is not a one-size-fits-all solution that applies to all organizations. Your business falls into one of four levels — depending on variables such as transactional volume and how you interface with customers:
- Level 4 is for merchants that either process up to 1 million offline sales or fewer than 20,000 e-commerce transactions annually.
- Level 3 is for e-commerce merchants that process between 20,000 and 1 million credit and debit card transactions annually.
- Level 2 is for merchants that process between 1 million and 6 million card-based transactions a year. The channel used to capture payment data is irrelevant.
- Level 1 is for merchants that process more than 6 million card transactions a year — regardless of whether they capture payment information online, over the phone, or in-person (at a checkout counter).
How Do Companies Become PCI Compliant?
Because there are four PCI compliance levels, the exact guidelines vary. To become compliant, each business must complete a Self-Assessment Questionnaire (SAQ) every year.
However, there are eight versions of the mandatory SAQ — each with different questions and PCI compliance requirements. You must know your level before choosing the appropriate Self-Assessment Questionnaire for your business. This is based on the type of organization you run, along with how you and your payment provider handle credit card data.
Once you’ve taken the SAQ, you’ll have a clearer understanding of potential vulnerabilities within your payment environment. You can take the requisite steps to plug those security holes.
However, your PCI compliance checklist isn’t done quite yet.
You also need to have your payment environment verified by an Approved Scanning Vendor (ASV). At BluePay, we’ve partnered with Trustwave to make this validation process as seamless as possible.
PCI DSS compliance isn’t a one-time thing. Because criminal attacks continue to evolve, so too must the tools used to prevent them. This explains why the data security guidelines aren’t set in stone.
In 2014, PCI 3.0 replaced version 2.0. The full list of changes is long (at 70 pages). Most of the focus in PCI 3.0 is on keeping pace with the rapidly changing payments landscape as we become more digitally connected.
There continue to be more modifications every few months as the Payment Card Industry updates its security standards. The current version of PCI DSS is 3.2.1.
It’s easy to feel overwhelmed by all the data security requirements attached to PCI compliance. With a business to run, you barely have time to worry about networks, firewalls, and access rights.
However, PCI compliance is non-negotiable — especially in the digital age.
Fortunately, it’s possible to reduce some of the pain and hassle of becoming compliant. For example, choosing a PCI-compliant payment processor that specializes in data security can help:
- Reduce PCI scope by helping you determine the proper payment acceptance setup for your business
- Remove sensitive payment information from your systems and servers (storing payment data is highly discouraged, as it brings your environment into scope)
- Decrease the frequency and severity of fraud within your organization
- Make it easier to satisfy the data security requirements for PCI compliance
To learn how BluePay can help you become PCI compliant and shield you from credit card fraud, schedule a free consultation with our merchant services team today.