What Is PCI Compliance?
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions.
PCI standards for compliance are developed and managed by the PCI Security Standards Council.
- Companies that follow and achieve the Payment Card Industry Data Security Standards (PCI DSS) are considered to be PCI compliant.
- The PCI Security Standards Council is responsible for developing the PCI DSS.
- PCI DSS has 12 key requirements, 78 base requirements, and 400 test procedures to ensure that organizations are PCI compliant.
- Being PCI compliant reduces data breaches, protects the data of cardholders, avoids fines, and improves brand reputation.
- PCI compliance is not required by law but is considered mandatory through court precedent.
Understanding PCI Compliance
The Federal Trade Commission (FTC) has responsibility for the oversight of credit card processing as it falls under the need for consumer protections and oversight. While there is not necessarily a regulatory mandate for PCI compliance, it is regarded as mandatory through court precedent.
In general, PCI compliance is a core component of any credit card company's security protocol. It is generally mandated by credit card companies and discussed in credit card network agreements.
The PCI Standards Council is responsible for the development of the standards for PCI compliance. These standards apply to merchant processing and have also been expanded to outline requirements for encrypted Internet transactions. Other key entities that are also associated with standard-setting in the credit card industry include The Card Association Network and the National Automated Clearing House (NACHA).
Requirements for PCI Compliance
PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial account information stolen. If merchants do not handle credit card information according to PCI Standards, the card information could be hacked and used for a multitude of fraudulent actions. Additionally, sensitive information about the cardholder could be used in identity fraud.
Being PCI compliant means consistently adhering to a set of guidelines set forth by the PCI Standards Council. PCI compliance is governed by the PCI Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards.
The requirements developed by the Council are known as the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS has 12 key requirements, 78 base requirements, and over 400 test procedures.
How to Become PCI Compliant
In order to conform with PCI guidelines, several steps should be undertaken that are considered security best practices. The 12 major steps include the following:
- Implement firewalls to protect data
- Appropriate password protection (such as 2FA)
- Protect cardholder data
- Encryption of transmitted cardholder data
- Utilize antivirus and anti-malware software
- Update software and maintain security systems on a regular basis
- Restrict access to cardholder data
- Unique IDs assigned to those with access to data
- Restrict physical access to data storage
- Create and monitor access logs
- Test security systems on a regular basis
- Create a policy that is documented and that can be followed
The most recent version of PCI DSS was released in May 2018 and is referred to as version 3.2.1. Overall, the six objectives and 12 requirements outline a series of steps that credit card processors must continually follow. Companies are first asked to assess their networks and systems, which involve information technology infrastructure, business processes, and credit card handling procedures.
Benefits of PCI Compliance
Constant maintenance and assessment of any gaps in security are also very important for avoiding the theft of sensitive cardholder information, such as social security and driver’s license numbers, whenever possible.
Companies are required to provide compliance reports on a regular basis as part of their card processing agreements. Monitoring, assessments, and audits of Payment Card Industry Data Security Standards are all an important part of a company’s security department.
All companies that process credit card information are required to maintain PCI compliance as directed by their card processing agreements. PCI compliance is the industry standard and business without it can result in substantial fines for agreement violations and negligence. Without PCI compliance, companies are also highly vulnerable to theft, fraud, and data breaches.
The percentage of cybersecurity breaches that are caused by human error.
The benefits of compliance include the reduced risk of data breaches, safeguarding cardholder data, and thus avoiding chances for identity theft. It is good practice for companies to be compliant as it reduces any fines related to data breaches, helps a company's brand reputation, and keeps customers happy and confident that they are doing business with a responsible company, leading to brand loyalty.
In the first half of 2020, there were 36 billion records exposed through data breaches. Eighty-six percent of breaches were financially motivated and with the global information security market expected to reach $170 billion in 2020, the financial risk is even higher. Protecting cardholder data is not only good for business but is also the right thing to do, ensuring that people are not negatively harmed or suffer any financial loss.
Drawbacks of Being PCI Non-Compliant
PCI compliance is mandatory if you or your business deals with credit card transaction information. In addition to increased risk of experiencing a data breach, you can also be subject to fines, penalties, and losing the ability to process credit card data going forward. Banks and payments companies may also choose not to do business with you unless you are PCI compliant. This can result in lost sales and a tarnished brand image.
Non-compliance fines begin at $5,000, but can cost up $500,000 per PCI data security incident or breach. In addition, it is required that all individuals whose information is believed to have been compromised must be notified in writing to be on alert for fraudulent charges.
Examples of PCI Compliance and Data Breaches
PCI compliance helps avoid fraudulent activity and mitigates data breaches. Verizon provides an annual assessment of payment security in its “Verizon Payment Security Report.” The 2019 Report devotes an entire section to PCI DSS, called “The state of PCI DSS compliance, 2019: And 12 key requirements.” Some PCI DSS highlights from the “Verizon 2019 Payment Security Report” include the following:
- 36.7% of organizations were actively maintaining PCI DSS programs in 2018.
- The Asia-Pacific region outperformed the Americas, Europe, the Middle East, and Africa.
- From an industry perspective, hospitality lags somewhat behind other sectors.
Frequently Asked Questions
What does PCI compliant mean?
PCI compliant means that any company or organization that accepts, transmits, or stores the private data of cardholders is compliant with the various security measures outlined by the PCI Security Standard Council to ensure that the data is kept safe and private.
Is PCI compliance required by law?
There is not a regulatory mandate that requires PCI compliance, but it is nevertheless regarded as mandatory through court precedent.
How do I get PCI compliant?
To become PCI compliant, you must first determine which self-assessment questionnaire you need to follow to become compliant. Once you finish the questionnaire, then you need to complete and hold evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor. Scanning applies to only some merchants. You will then need to complete the Attestation of compliance. The last step will be to submit all of the above information.
Who must be PCI compliant?
Any company or organization that accepts, transmits, or stores the private data of cardholders.
The Bottom Line
PCI compliance refers to the technical and operational standards set out by the PCI Security Standards Council that organizations need to implement and maintain. The goal of being PCI compliant is to protect cardholder data and applies to any organization that accepts, transmits, or stores that data. Being PCI compliant is a good business practice in that it puts the safety of consumer data first and also benefits an organization through a positive brand reputation.