One of the forms this takes is compliance with payment card industry data security standards (PCI DSS), which indicates an organization follows the administrative and technical requirements to keep cardholder data safe.
Let’s explore PCI compliance in more detail, look at what it means for your organization and answer some relevant questions about how it’s beneficial, whether it’s mandatory and what’s involved in achieving it.
What does it mean to be PCI compliant?
The PCI Standards Council determines and updates the requirements for PCI DSS compliance as needed. They most recently revised these standards in January 2019.
There are currently 12 “Control Objectives” described in the standards. Each one has multiple subsections focused on guiding organization decision-makers toward compliant databases and other IT infrastructure for payment data.
Here are some paraphrased excerpts from several of the Control Objectives or their subsections.
- 1.1: All sensitive data to be transmitted, processed or stored by the organization’s payment software has been identified.
- Organizational functions “exposed by the (payment) software” may only be enabled by default when the software architecture "justifies" doing so. This criterion covers “optional” features such as web services and applications and ensures access controls remain in place for critical business functions.
- 4.1: Organizations need to be honest with themselves about credible "attack scenarios" — DDoS, phishing, etc. — and have a documented plan in place for identifying the source of problems or attacks and ameliorating data loss.
- 7.4: Random values used by the software to generate cryptographic keys meet “minimum effective strength.”
- 12.1: The software’s developers and vendors have provided the merchant’s decision-makers with guidance — “evidence” — that clearly and thoroughly describes the payment software’s operation and implementation and how each piece maintains security and compliance.
The PCI standards range from in-house company culture to specific requirements for the technology and guidance on choosing appropriate software from vetted, technologically sophisticated and transparent vendors.
PCI DDS standards for credit card and payment data security are a little like the certifications that professionals in the health care, legal and financial services industries must renew over time. People use these certifications as an indication that the professional is up to date with regulatory requirements and best practices.
Likewise, presenting a PCI DDS certification indicates you’re committed to learning about new techniques and technologies over time. It says to customers and potential partners that you take the fundamentals of security and privacy seriously and aren’t willing to sacrifice your integrity by cutting corners.
Who needs to be PCI compliant? What happens if they’re not?
Any business that engages in processing, transmitting or storing credit card data using electronic means must abide by these compliance rules. Major credit card companies like Visa and MasterCard design and enforce PCI compliance requirements, as they’re the controlling interests in the PCI Standards Council.
Banks and merchants partnering with these credit card companies are on the hook for potential fines if their business infrastructure or payment processing systems are not compliant.
PCI compliance separates merchants into four levels to determine their degree of risk:
- Level 1 merchants process 6 million or more credit card transactions annually.
- Level 2 merchants process between 1 million and 6 million transactions annually.
- Level 3 merchants process between 20,000 and 1 million transactions annually.
- Level 4 merchants process 20,000 or fewer credit card transactions annually.
To understand the effects of non-compliance, consider the following example; suppose your business suffers a data breach. The first step for the credit card brands you work with — like Visa and American Express — is to find out whether the bank that processes your credit card transactions has been tracking your PCI compliance.
If your bank wasn’t compliant, it stands to reason your business wasn’t either. In light of the data breach at your business and the bank’s lack of oversight, the bank receives a fine and passes it along to you.
Fines can be as low as $5,000 or as high as $100,000 for every month of non-compliance. Fines can also continue to increase over time until you achieve compliance. Credit card brands may levy fines even if your business was indeed in compliance at the time it sustained the data breach, but the amounts of these fines are private.
How do you become PCI compliant?
The law doesn’t mandate that businesses must achieve PCI compliance. However, it’s a requirement if you want to do business with the credit card industry and allow your customers, partners or donors to pay with a credit card.
You shouldn't view achieving compliance as an inconvenience, but rather as a resource. Cybersecurity — and the overarching mission of protecting one’s partners and customers — isn’t mandatory, but your success and reputation rest on this.
The good news is, lots of third-party companies that provide digital payment gateways use PCI DSS best practices ‘out of the box’. Finding such a vendor can take some of the worry off your shoulders.
Still, any companies that receive credit card payments are stewards of highly sensitive data, and they have a role to play. Identifying sensitive data and getting all your data organized, if you haven’t already, is, again, the first critical step. It serves as the foundation for your entire financial and digital future, whether you solicit local donations as a nonprofit or do business all over the world.
Merchants should begin their pursuit of PCI compliance with the official PCI DSS questionnaire. This walkthrough helps determine which action items your organization still needs to take to achieve 100% compliance. Other steps include using strong passwords, using only approved point-of-sale software and hardware online and in stores and training new employees on cybersecurity fundamentals.
It’s also smart to have annual compliance audits performed by professional security assessors who can provide a report detailing whether you’re still in step with relevant guidelines.
With this understanding of what’s required and what’s at stake, companies everywhere can double down on upholding PCI compliance standards. It’s not a silver bullet for preventing data breaches, but it’s a significant step to take in lowering the risk.