PCI DSS stands for the Payment Card Industry Data Security Standard. If your company processes, stores, or transmits credit card information, PCI DSS compliance is critical for you.
The PCI DSS ensures that cardholder information is used, stored, and transmitted safely. Following the rules is an industry best practice. You prove to your customers that your company is trustworthy.
But if you’re not PCI compliant, you could also face steep fines that could cripple your business.
What is PCI compliance?
Guidelines start the PCI compliance process. You must know what your company is expected to do, and you must build processes accordingly. Then, documentation begins. You must prove that you're doing all you can to keep cardholder data secure.
PCI compliance begins with the PCI itself. The Payment Card Industry Council was founded in 2006 by representatives from:
- American Express
- JCB International
Each company shares council responsibilities equally, and they all require PCI DSS compliance from their business partners.
PCI created the Data Security Standard (DSS), along with the supporting materials, such as:
- Specification frameworks
- Measurement guides
- Supporting materials
Any company that accepts, stores, or transmits cardholder data must be PCI DSS compliant. Even very small companies, and those that work with third-party payment processors, must be compliant.
If you're not compliant, you could face a fine of up to $500,000 per security breach incident. Additionally, you must notify every person who might have been exposed in an attack, and those notifications can be costly.
Consumers may also choose to sue you independently. And you could face government fines too.
Are you PCI compliant?
Don't make assumptions about the safety of cardholder data you collect. Learn more about what the guidelines say and walk through your processes to ensure compliance.
PCI DSS standards start with six goals. Each company should:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
How can you meet these goals? PCI DSS requirements lay out the steps.
- Start with firewalls. Install and maintain a firewall, and configure it as best you can to keep intruders out.
- Strengthen passwords. Don't use passwords that come with your devices, and look for ways to ensure you're following password best practices.
- Protect in storage. If you store cardholder data, ensure that you surround it with security.
- Protect in transit. If you move data across networks, ensure that it's encrypted.
- Stop attacks. Install anti-virus programs, and keep them updated.
- Tighten. Create secure systems and maintain them.
- Restrict electronic access. Don't allow everyone to touch cardholder data. Ensure only those who need to know about it can see it.
- Track. Give each person with access to your company computer a unique ID.
- Restrict physical access. Don’t allow everyone to touch hard copies of cardholder data.
- Test. Set up a regular testing schedule and follow it.
- Codify. Create a document that spells out your policy regarding employee and contractor security.
PCI compliance levels explained
Every company that collects cardholder data, no matter how small, is required to achieve PCI DSS compliance. But larger companies must take more steps to prove that they both know and understand the rules.
Consider Visa. This company (the largest major payment network worldwide) creates four compliance levels.
Those four levels are:
- Level 1. If you process more than 6 million Visa transactions annually, you’re in this group.
- Level 2. If you process 1 to 6 million Visa transactions annually, you’re in this group.
- Level 3. If you process 20,000 to 1 million Visa transactions annually, you’re in this group.
- Level 4. If you process less than 20,000 Visa ecommerce transactions annually and up to 1 million Visa transactions, you’re in this group.
The rules don’t change from group to group. But the risks you face with larger transaction numbers do. As a result, Visa requires more documentation from larger companies to prove compliance.
If you’re a small, Level 4 company, you may only need to complete a questionnaire. But if you’re a Level 1 company, you’ll need to complete two accounting forms.
PCI DSS do’s and don’ts
The rules may seem simple. But it's easy for companies to grow confused about what they should and shouldn't do with the data they collect. Understanding a few best practices may help.
For PCI DSS compliance, you should:
- Stay abreast. Follow the PCI closely, and read up on new releases. As the industry changes and new risks emerge, the rules you must follow can also change.
- Conduct risk assessments. Evaluate your environment regularly. When you spot an area of concern, mitigate the risks as quickly as possible.
- Hold regular trainings. Staff left unattended can create workarounds (such as saving cardholder data in spreadsheets on the server) that puts compliance at risk. Expect to re-train your staff.
For PCI DSS compliance, you should not:
- Take partnerships lightly. Don't look for the best deals on POS hardware and software. Make sure that any company you work with is also PCI DSS compliant and takes the risks seriously.
- Merge networks. Cardholder data shouldn't be accessible to hackers who get into your company's open servers. Segment as much as you can to keep data safe.
- Forget it. Compliance is an ever-shifting target. Keep your security at the forefront of your mind at all times.
If you're looking for a partner to help ensure PCI DSS compliance, consider Okta. Download our white paper to find out how we can help you on your compliance journey.
About Us. PCI Security Standards Council.
PCI-DSS: Security Penalties. UC Santa Cruz.
Maintaining Payment Security. PCI Security Standards Council.
Credit Card Companies: 15 Largest Issuers of 2021. CardRates.com.