Tech Trend

PCI Compliance: The Ultimate Guide


Payment card industry, or PCI, compliance is the process businesses use to assess and confirm the security of customer card data. This data — including credit card account numbers and security codes — weaves through a number of different systems each time a transaction is made. Part of the responsibility of securing it lies with business owners. Not following the proper procedures can lead to serious problems, including fines of thousands of dollars. Understanding how this process works and what to do is a must for anyone who wants to take card payments.

PCI compliance: What is it, who runs it and why?

Whenever a card is used, a customer’s card information is captured, transmitted and sometimes stored by the merchant. In 2006, American Express, Discover, JCB International, Mastercard and Visa founded the PCI Security Standards Council with the goal of standardizing security protocols and practices required of those involved in card transactions. These standards apply to digital and physical practices and records.

Data security isn’t an issue for large, well-known companies only. A National Cyber Security Alliance survey found that about 1 in 4 small businesses had a data breach in one 12-month period and, of those, 1 in 3 ended up filing for bankruptcy or shutting down.

PCI compliance applies to businesses of all sizes, from international conglomerates to your local pizza place, though specific requirements can vary. These requirements typically include some combination of:

  • An assessment to determine how secure the systems and practices of a business are. Large businesses are required to hire a third-party firm to do this assessment while most small businesses can perform a self-assessment.

  • A scan of the network the business uses. This is a technical exercise that requires the use of an outside firm.

Who’s involved in PCI compliance?

Generally, the rules that help safeguard card information are agreed to and enforced in contracts rather than by laws.

The PCI Security Standards Council neither creates nor enforces the specific rules a merchant account provider might require of its customers — it’s best to refer directly to the terms found in your contract. However, the rules are broadly similar thanks to the common language and shared goals it maintains. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face fines or lose your merchant account.

It’s important to note that many businesses use payment service providers, like Square or Stripe, in lieu of using a merchant account. In these instances, the payment service provider often takes on many of the compliance responsibilities as it — not the small businesses that use it — holds the merchant account with a bank. Still, it’s best to check directly with whichever financial service you use to verify what is expected of you and what assistance they offer.

Finally, some payment processors charge PCI compliance fees. Sometimes these fees include services, like access to consultants who help you complete compliance requirements. Weighing the cost of this fee, if any, against the services you receive can play a role in choosing the best payment processor for you.

How does PCI compliance work?

The details of PCI compliance can quickly get technical. However, the PCI Security Standards Council’s guidelines, called the Payment Card Industry Data Security Standard, or PCI DSS, shows what the overarching goals are in straightforward terms. Pursuing these six goals, by meeting the 12 primary requirements that support them, makes it difficult for bad actors to access sensitive payment data.

Build and maintain a secure network

1. Install and maintain a firewall.

2. Use strong passwords.

Protect cardholder data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data.

Maintain a vulnerability management program

5. Use up-to-date antivirus software.

6. Develop and maintain secure systems and applications.

Implement strong access control measures

7. Grant access to cardholder data only as business needs warrant.

8. Assign a unique identification to each person who can access cardholder data.

9. Restrict physical access to cardholder data.

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors.

Compliance requirements

Determining how well your business adheres to these standards in a practical sense requires a thorough checkup. That’s the purpose of the required assessment of a business’s security practices every year.

While the requirement is universal, there’s no one-size-fits-all assessment. Instead, the type of annual assessment a business takes depends on a few factors, including the size of the business as measured by the volume of card transactions. A business falls into one of four tiers:

Level 1 merchants are businesses that process more than 6 million card transactions per year or have had a hack or attack that led to data loss.

Level 1 requirements
  • A PCI Security Standards Council Qualified Security Assessor, or QSA, or a PCI Security Standards Council Internal Security Assessor, or ISA, must perform an annual PCI DSS assessment. These third-party experts help companies determine how effective their security practices are.

  • File a Report on Compliance, or ROC.

  • An Approved Scanning Vendor, or ASV, must perform a quarterly network scan. A network scan, which is typically performed remotely, detects vulnerabilities in a business’s website, network or other exploitable system.

  • Submit an Attestation of Compliance, or AOC, form.

    Level 2 merchants process 1 million to 6 million card transactions per year.

Level 2 requirements
  • Complete self-assessment questionnaire, or SAQ.

  • An Approved Scanning Vendor, or ASV, must perform a quarterly network scan.

  • Submit an Attestation of Compliance, or AOC, form.

Level 3 merchants process 20,000 to 1 million online card transactions per year.

Level 3 requirements
  • Complete self-assessment questionnaire, or SAQ.

  • An Approved Scanning Vendor, or ASV, must perform a quarterly network scan.

  • Submit an Attestation of Compliance, or AOC, form.

Level 4 merchants process less than 20,000 online card transactions or up to 1 million total transactions per year.

Level 4 requirements
  • Complete a self-assessment questionnaire, or SAQ, or other requirement stated by the merchant acquirer.

  • Might be required to have an Approved Scanning Vendor, or ASV, perform a quarterly network scan.

  • Submit an Attestation of Compliance, or AOC, form.

Most small businesses fall under Level 4 and are required to perform a self-assessment. The self-assessment questionnaire has multiple versions. The manner in which a business accepts card payments determines which one to take. For example, Questionnaire B is for a merchant who doesn’t use an electronic imprint machine to gather customer card information while Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties.

Read more:PCI Compliance: The Ultimate Guide

Leave a Reply

Your email address will not be published. Required fields are marked *