PCI Compliance 101
by Mashum Mollah Ecommerce 25 July 2019
In a world rife with data breaches, there is no telling the amount of harm one would do to your business. From reputational damage to the increasing cost of surviving data breaches, there are unimaginable repercussions that should motivate your company to uphold high-security standards. The case of Sony’s data breach back in 2011 is one of the most iconic disasters of the decade since it led to the exposure of the personal data of around 77 million people (which includes credit card data).
For businesses that want to evade such disasters, remaining compliant to regulations such as the PCI DSS is a necessity. Such regulations ensure that you have the threshold security controls in place to prevent a data breach. If PCI compliance is a grey area for your business, you are in the right place. Maintaining compliance starts with identifying the areas that you need to concentrate on.
Here is all you need to know about PCI compliance:
What Being PCI Compliant Means and Why It Matters:
Being PCI compliant means that your business has followed the guidelines outlined in the PCI DSS (Payment Card Industry Data Security Standard). Ideally, these are a couple of security guidelines that were formulated by the top credit card brands to protect the interests of all stakeholders in line with the threat of data breaches. As long as your business processes accept, stores, or transmits credit card data, then you should follow the checklist for PCI compliance.
This includes service providers, online merchants, retail stores, and their vendors. Compliance with the regulations reduces the chances that your business will fall victim of a credit-card-related data breach. In turn, this protects your business’s reputations while safeguarding the privacy of your customers at the same time. Lastly, it helps you to attract security-conscious investors and clients.
Your Compliance Will Depend On Your Level:
PCI DSS contains 12 objectives and 281 requirements that businesses need to meet. Ideally, the standard divides companies into four levels, which dictate the compliance process for each business. The levels are classified according to the number of credit card transactions that a business deals with annually. To be completely compliant, you need to meet the criteria of your level to the letter.
The Requirements for Each Compliance Level:
This level has the most stringent compliance standards. It applies to businesses that process over 6 million annual credit card transactions or have experienced a cyber-attack that ended in the compromise of their payment data. If you belong to this group, you should undergo a ROC (Report on Compliance) that is to be done annually by a Qualified Security Assessor (QSA). Next, you will need to work with an Approved Scan Vendor (ASV) to scan your network.
The expenses of hiring the QSA and ASV are to be offset out of your business’ pockets. Lastly, you should fill the PCI DSS Self-Assessment Questionnaire. This should come first before submitting it to your merchant enquirer annually. The questionnaire consists of a number of yes or no questions on whether you have met the different compliance requirements. In case you answer any question with a no, you ought to state what you are willing to do to remediate it and the remediation date.
You belong to this level if your business handles between 1 million to 6 million credit card transactions each year. For these merchants, it is a necessity to have an ASV conduct a network scan annually. You are also required to fill the PCI DSS Self-Assessment Questionnaire. Once you are done, you should present the evidence of both alongside an annual attestation of compliance to your merchant acquirer.
You belong to this level if your business handles between 20,000 and 1 million transactions each year. Ideally, you need to receive a network scan from an ASV, complete the Self-Assessment Questionnaire, and present an annual attestation of compliance. You should then submit the evidence of all three to your merchant acquirer.
You belong to this level of your business handles less than 20,000 annual transactions. Ideally, your requirements are similar to the companies in level 3: present an attestation of compliance, complete the Self-Assessment Questionnaire, and receive a network scan from an ASV. As long as you can show proof of all three to your merchant acquirer, you have achieved compliance.
The Cost of Non-Compliance:
PCI compliance is usually a requirement in the contract your sign with your merchant acquirer or the contract that the acquirer signs with the credit card brand. Non-compliance often leads to fines from the credit card brands. The credit card brand can penalize a non-compliant merchant acquirer between $5,000 and $100,000 per month, for each month that they remain non-compliant.
If you are the cause of non-compliance, the cost will be transferred to your business. Aside from these hefty fines, you also risk having credit card fraud and data breaches bring down your business. This will reduce your sales, damage customer loyalty, and increase your legal expenses. Even worse, your cost of compliance will rise in the aftermath of a successful breach, especially if you previously belonged to level 2, 3, or 4.
A successful data breach can devastate your business to its core. While PCI compliance might seem expensive in some cases, the risk that it helps you mitigate is costlier. Work on maintaining compliance to fortify your business against the risk of non-compliance.