What is PCI? Understanding the Importance of PCI Compliance

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

PCI DSS stands for the Payment Card Industry Data Security Standard. If your company processes, stores, or transmits credit card information, PCI DSS compliance is critical for you.

The PCI DSS ensures that cardholder information is used, stored, and transmitted safely. Following the rules is an industry best practice. You prove to your customers that your company is trustworthy.

But if you’re not PCI compliant, you could also face steep fines that could cripple your business.

What is PCI compliance? 

Guidelines start the PCI compliance process. You must know what your company is expected to do, and you must build processes accordingly. Then, documentation begins. You must prove that you're doing all you can to keep cardholder data secure. 

PCI compliance begins with the PCI itself. The Payment Card Industry Council was founded in 2006 by representatives from:

  • American Express
  • Discover
  • JCB International
  • MasterCard
  • Visa

Each company shares council responsibilities equally, and they all require PCI DSS compliance from their business partners.

PCI created the Data Security Standard (DSS), along with the supporting materials, such as:

  • Specification frameworks
  • Toolkits
  • Measurement guides
  • Supporting materials

Any company that accepts, stores, or transmits cardholder data must be PCI DSS compliant. Even very small companies, and those that work with third-party payment processors, must be compliant. 

If you're not compliant, you could face a fine of up to $500,000 per security breach incident. Additionally, you must notify every person who might have been exposed in an attack, and those notifications can be costly.

Consumers may also choose to sue you independently. And you could face government fines too.

Are you PCI compliant?

Don't make assumptions about the safety of cardholder data you collect. Learn more about what the guidelines say and walk through your processes to ensure compliance.

PCI DSS standards start with six goals. Each company should:

  1. Build and maintain a secure network.
  2. Protect cardholder data.
  3. Maintain a vulnerability management program.
  4. Implement strong access control measures.
  5. Regularly monitor and test networks.
  6. Maintain an information security policy.

How can you meet these goals? PCI DSS requirements lay out the steps.

  1. Start with firewalls. Install and maintain a firewall, and configure it as best you can to keep intruders out. 
  2. Strengthen passwords. Don't use passwords that come with your devices, and look for ways to ensure you're following password best practices.
  3. Protect in storage. If you store cardholder data, ensure that you surround it with security.
  4. Protect in transit. If you move data across networks, ensure that it's encrypted.
  5. Stop attacks. Install anti-virus programs, and keep them updated.
  6. Tighten. Create secure systems and maintain them.
  7. Restrict electronic access. Don't allow everyone to touch cardholder data. Ensure only those who need to know about it can see it.
  8. Track. Give each person with access to your company computer a unique ID.
  9. Restrict physical access. Don’t allow everyone to touch hard copies of cardholder data.
  10. Test. Set up a regular testing schedule and follow it.
  11. Codify. Create a document that spells out your policy regarding employee and contractor security.

PCI compliance levels explained 

Every company that collects cardholder data, no matter how small, is required to achieve PCI DSS compliance. But larger companies must take more steps to prove that they both know and understand the rules.

Consider Visa. This company (the largest major payment network worldwide) creates four compliance levels.

Those four levels are:

  • Level 1. If you process more than 6 million Visa transactions annually, you’re in this group.
  • Level 2. If you process 1 to 6 million Visa transactions annually, you’re in this group.
  • Level 3. If you process 20,000 to 1 million Visa transactions annually, you’re in this group.
  • Level 4. If you process less than 20,000 Visa e-commerce transactions annually and up to 1 million Visa transactions, you’re in this group.

The rules don’t change from group to group. But the risks you face with larger transaction numbers do. As a result, Visa requires more documentation from larger companies to prove compliance.

If you’re a small, Level 4 company, you may only need to complete a questionnaire. But if yo