Back
PCI compliance refers to implementing and maintaining the data security requirements set out by the Payment Card Industry Data Security Standard (PCI DSS). This set of rules is specifically designed to protect sensitive cardholder data when processing card transactions.
PCI DSS is managed and overseen by the PCI Standards Security Council (PCI SSC), a body made up of five of the world’s largest payment processing brands: Mastercard, Visa, American Express, Discover, and JCB International.
What is PCI compliance?
The Payments Card Industry Security Standards Council (PCI SSC) are an established and respected global forum of payments industry stakeholders. They created the PCI Data Security Standard (PCI DSS) to combat online fraud. If your organisation accepts, transmits or stores card data, then the PCI DSS applies to you, and you must hold a PCI compliance certificate to prove that you comply with it.
- PCI DSS requirements apply to any entity that processes, transmits, or stores sensitive cardholder data and/or account information.
- Although the PCI DSS is not a law, merchants that fail to comply increase the risk of data breaches and face severe penalties from credit card companies.
- To monitor and maintain PCI DSS compliance, many companies either employ an in-house compliance expert or work with a third-party compliance services firm.
- Maintaining PCI DSS compliance involves routine auditing, either through self-assessment questionnaires or on-site assessments by a qualified assessor.
- Larger companies that process a higher volume of annual card transactions are subject to more stringent auditing and testing than smaller businesses with fewer than 1 million transactions per year.
What are the different PCI Compliance levels?
PCI compliance certificates are issued annually. What you must do to get one depends upon the level of compliance you are being asked to conform to. The definitions of PCI levels vary by merchant or payment service provider, so talk to yours about this.
To give you an idea what’s involved, we have listed the PCI compliance levels for Visa:
PCI Level 1
These are for large companies processing more than 6 million payments annually. This level of compliance is expensive as it requires significant IT hardware and software, skilled staff, training, and audit resources. PCI Level 1 can also include businesses with a significant data breach, leading to compromised account information.
As you’d expect, the validation requirements for PCI Level 1 businesses are significant, so they are likely to have specialist resources to support them.
To get a PCI compliance certificate, a PCI Level 1 organisation will need to supply an:
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). An internal auditor may do this role.
Annual self-assessment questionnaire (SAQ)
Quarterly network scans from a PCI-approved Approved Scanning Vendor (ASV).
Attestation of Compliance Form.
PCI Level 2
PCI Level 2 applies to companies handling a significant number of payments between 1 million and 6 million payments a year.
To get a PCI compliance certificate, a PCI Level 2 organisation must supply everything that a PCI Level 1 does, except a ROC.
PCI Level 3
If a business takes between 20,000 and 1 million e-commerce payments a year, they will fall under PCI Level 3 compliance. To get a PCI compliance certificate, a PCI Level 3 organisation must supply similar information to their PCI Level 2 colleagues, namely an annual SAQ, quarterly network scan by ASV and an Attestation of Compliance Form.
PCI Level 4
The majority of businesses fall within PCI Level 4. It’s for merchants processing less than 20,000 e-commerce transactions yearly or up to 1 million transactions.
If you fall within this category, talk to your merchant or payment service provider because they will set your compliance validation requirements and advise what you need to do to get a PCI compliance certificate. They may recommend an annual SAQ and a quarterly network scan by an ASV.
Take your systems out of PCI-DSS scope
Key components of PCI compliance
To whom does PCI compliance apply?
PCI DSS applies to all companies and organisations that handle cardholder data and/or other sensitive information influencing cardholder data security. This includes:
- Merchants that accept card payments either in-person or online
- Payment processors like Square or PayPal
- Card networks like Visa and Mastercard
- Issuing banks (i.e., the customer’s bank)
- Acquiring banks (i.e., the merchant’s bank)
Types of data applicable
Any entity that processes transmits, or stores the following information is subject to the requirements set out in the PCI DSS:
- Cardholder data (CHD)
- Primary account number (PAN)
- Cardholder name
- Expiration date
- Service code
- Sensitive authentication data (SAD)
- Magnetic stripe or chip data
- Card verification code
- PINs/PIN blocks
Objectives and requirements
The PCI DSS is continually assessed and updated as technology advances and cardholder behaviour changes. As explained in the PCI DSS v4 Quick Reference Guide (PDF), PCI DSS has six key goals. For each goal, PCI DSS specifies what’s required in order to achieve that goal.
The goals and requirements are as follows:
1. Build and maintain a secure network and systems
- PCI DSS requirement: Install and maintain network security controls
- PCI DSS requirement: Apply secure configurations to all system components
2. Protect account data
- PCI DSS requirement: Protect stored account data
- PCI DSS requirement: Protect cardholder data with strong cryptography during transmission over open, public networks
3. Maintain a vulnerability management program
- PCI DSS requirement: Protect all systems and networks from malicious software
- PCI DSS requirement: Develop and maintain secure systems and software
4. Implement strong access control measures
- PCI DSS requirement: Restrict access to system components and cardholder data by business need to know
- PCI DSS requirement: Identify users and authenticate access to system components
- PCI DSS requirement: Restrict physical access to cardholder data
5. Regularly monitor and test networks
- PCI DSS requirement: Log and monitor all access to system components and cardholder data
- PCI DSS requirement: Test security of systems and networks regularly
6. Maintain an information security policy
- PCI DSS requirement: Support information security with organisational policies and programs
While these requirements are theoretically easy to understand, implementing them can be complex and typically requires a thorough understanding of data security practices.
How much does it cost to get PCI compliance?
The cost of PCI compliance varies by merchant level. If you operate a small business, the fee you will pay for PCI compliance could range from nothing to £60 a year.
Nothing? Yes, that’s right. Some merchant or payment service providers will handle your PCI compliance for no extra fee. Those that do charge, normally hover in the £2.50 - £5 a month mark (as of September 2023) and so you will end up paying £30 - £60 for PCI compliance if you are a small business.
If you are a larger business processing 20,000 or more payments a year, then you can expect to pay a lot more to achieve PCI compliance. Talk to your merchant or payment service provider to understand what PCI level they are placing you at, and what support they can offer you.
The cost of non-compliance can be £3,000 or more. Whilst it is your merchant or payment service provider and not you that will be fined, they merchant bank will typically pass this fine down to you along with any legal fees that they have incurred. And if you are at risk of non-compliance, then you are unlikely to find any merchant or payment service provider willing to serve you.
PCI compliance requirements
Merchants are asked to sign an “Attestation of Compliance Form” to confirm that they are PCI compliant. The form contains 12 PCI compliance requirements, built around six themes:
Securing network and systems.
Protecting stored account data.
Vulnerability management.
Access Control.
Monitoring and testing networks.
Maintaining an information security policy.
These are the 12 PCI compliance requirements that every merchant must follow:
- Install and maintain a firewall to protect cardholder data within your network.
- Change vendor-supplied default passwords and security settings.
- Protect all stored cardholder data, ensuring you have policies to limit the data you store.
- Use data encryption when transmitting cardholder data across open, public networks.
- Use appropriate anti-virus software. Document periodic scans. Use the latest software update.
- Document and maintain security systems and processes.
- Restrict access to cardholder data on a ‘need to know’ basis.
- Assign a unique user ID to everyone with computer access and implement a process for authenticating each user.
- Restrict physical access to cardholder data. This could include using cameras or other hardware and software to monitor who is accessing sensitive data.
- Log and monitor all access to system networks and cardholder data.
- Test security systems and processes regularly. Perform quarterly vulnerability scans.
- Document and maintain an information security policy for your business. Review and update this policy at least annually.
Failure to comply with PCI DSS
PCI DSS is a global standard, not a law. However, failing to comply with PCI DSS requirements can result in severe consequences for businesses. PCI DSS is enforced through contracts between merchants, their banks, and the payment processors merchants use to accept customer card payments. These contracts lay out strict penalties for PCI DSS non-compliance, the severity of which varies depending on the institution involved and the nature of the breach.
1. Fines
Businesses that fail to comply with PCI DSS regulations face large fines from card networks like Visa, Mastercard, and American Express. These fines can range from thousands to millions of dollars, depending on the card brand, the severity of the breach, the merchant’s compliance level, and the duration of non-compliance. Fines are often issued on a monthly basis until the compliance issue is resolved.
2. Withdrawal of card processing services
Companies that experience large-scale security breaches or fail to correct compliance issues in a timely manner can face having their card processing services suspended or even withdrawn completely. Losing the ability to accept card payments can have a drastic and devastating impact on business.
3. GDPR penalties
Although PCI DSS is not a law, businesses can still encounter legal penalties for non-compliance. One example of this is the United Kingdom and European Union’s General Data Protection Regulation (GDPR), under which companies face significant consequences of up to £17.5 million (€20 million) or 4% of turnover (whichever figure is higher) for data breaches.
4. Fraud, lawsuits, and reputation damage
In addition to the financial and operational penalties listed above, failure to comply with PCI DSS can lead to increased data theft and fraud experienced by customers. This can lead to expensive lawsuits from customers and a general loss of trust in the brand, resulting in fewer sales and a downturn in revenue.
Stay in English