When making a purchase with a credit or debit card, either online or in person, a consumer expects that care will be taken by all parties to protect their card information. If the data is stolen it could result in fraudulent transactions and/or identity theft.
The payment card industry has a set of standards to protect customer card data, and this is known as PCI DSS – Payment Card Industry Data Security Standard. PCI compliance refers to the technical and operational requirements of keeping card data provided by cardholders for the purposes of transacting secure. The standard is the result of collaboration between major card brands such as Visa, Mastercard and American Express, amongst others.
Aside from the customer, all roleplayers in a payment card transaction need to be compliant with PCI DSS. This includes the merchant, the bank, the payment processor and the payment gateway.
Certain jurisdictions may have laws or regulations regarding data security, but by and large PCI compliance is mandated by the industry itself. Not adhering to the standards can result in fines being levied by payment card brands and may also result in the merchant or provider being prohibited from processing card transactions. Local laws may also apply to breaches of data and could have severe consequences for the non-compliant party.
When a business signs up for a merchant account, or for services rendered by a payment partner, PCI compliance will be one of the requirements for keeping the service.
There are 12 major or key requirements for PCI DSS compliance:
- Implement and maintain firewalls to protect data
- Have appropriate password protections on systems
- Protect cardholder data
- Encrypt transmitted cardholder data
- Utilize and update anti-virus software
- Update software and maintain security systems
- Restrict access to cardholder data
- Utilize unique IDs for user access to systems containing cardholder data
- Restrict physical access to data
- Create and monitor access logs
- Test security systems on a regular basis
- Have policy and process documentation that is easily understood
Beyond these basic principles there are further requirements and test procedures.
There are 4 levels, or tiers as they are sometimes called, of compliance and the requirements for compliance are different for each level. The levels are not based on monetary value, but on the number of transactions per year.
Level 1 – Merchants that process over 6 million card transactions annually
Level 2 – Merchants that process between 1 and 6 million transactions annually
Level 3 – Merchants that process between 20,000 and 1 million transactions annually
Level 4 – Merchants that process less than 20,000 transactions annually
That means that even if you process 1 transaction a year you will be required by your service providers to be PCI compliant. Most small businesses fall into the level 4 category, and will be required to perform a self-assessment questionnaire. The assessment will expose flaws in the security of the business and provide steps to correct it. There are different types of assessments for different types of payment setups, and you will be guided by the service provider as to which one is suitable for your business. Even if you use the services of a payment aggregator and essentially outsource all your payment processing, you will still be required by the aggregator to comply with certain criteria if you want to do business with them.
Large companies and organizations on higher levels may have entire departments dedicated to PCI DSS, as well as external auditors and other partners and providers.
Small businesses entering the ecommerce arena for the first time are often taken aback by this PCI DSS requirement, and find it extremely daunting. After all, business owners are experts in their products and services, not in cyber security. However, after the initial panic has gone the business will realize that most of it is relatively simple and a lot of common sense. It is not difficult, for example, to make sure that company computers have strong passwords. Another example is anti-virus software – there are many trustworthy brands that are simple to install and that update themselves.
There is an entire industry devoted to assisting small businesses with their PCI compliance. And quite often the service provider such as the bank or payment processor can include services to keep the merchant compliant. PCI compliance is also not a once-off, it must be updated each year.
Are there costs for PCI DSS? Yes of course there are. You will be required to pay compliance fees to your providers. And there may be non-compliance fees. Software items like firewalls and anti-virus software may have subscription costs. Consultants and providers who assist with getting businesses PCI compliant charge for their services. If you are not compliant you face fines from the card brands or other providers, and your facilities may be terminated.
PCI compliance is designed to build trust in the industry. Businesses should not see it as an impossible hindrance, but rather as an opportunity to have great systems in place that benefit the customer. And businesses should be making sure that their providers are compliant as well.