For some business owners, Payment Card Industry Data Security Standard (PCI DSS) compliance is just another monthly fee for something they think they might not need. But as more and more credit card processing takes place online, cybercriminals will increasingly look to online channels as a viable way to profit.
In fact, during the first half of 2020, the total volume of cyberattacks exceeded that of all cyberattacks in 2019. Moreover, 43% of online attacks are targeted at small businesses, and nearly three-quarters of small businesses close within 24 months of suffering a data breach.
While PCI noncompliance is just one cause of data breaches, it's usually very easy to correct and can help protect your business. Read on to learn about the PCI DSS compliance levels, requirements, costs and more. [Read related article: Digital Payments Are Growing]
What is PCI compliance?
PCI compliance (or PCI DSS compliance) is a credit card data security standard set by the Payment Card Industry Security Standards Council (PCI SSC), a group formed by Visa, Mastercard, Discover, American Express, and JCB to develop and review data security standards. PCI compliance involves all of the steps you take to keep your customers' sensitive payment data stored securely.
More specifically, PCI compliance comprises all of the security requirements that your business must follow when processing, storing or transmitting credit card data. There are some aspects of PCI compliance that you can control, such as choosing not to write down a patron's card number to input in your system later (since paper trails, even shredded ones, increase your liability), and there are some aspects you can't control directly, such as using a credit card processing program that stores credit card information on your own server in an unprotected way.
Who has to be PCI compliant?
Any business that processes, handles, stores or transmits credit card information must ensure PCI compliance at all times. Put more simply, if your company accepts credit card payments, you must be PCI compliant.
What are the PCI DSS compliance levels?
There are four PCI DSS compliance levels:
- Level 1: Any company that processes more than 6 million card transactions annually
- Level 2: Any company that processes between 1 million and 6 million card transactions annually
- Level 3: Any company that processes between 20,000 and 1 million card transactions annually
- Level 4: Any company that processes fewer than 20,000 card transactions annually
What costs are associated with PCI compliance?
To ensure PCI compliance, there are several tasks you must complete, and each step will cost your business money:
- Required third-party compliance validation for Level 1 merchants
- Similar recommended audits for Level 2 and Level 3 merchants
- Self-assessment questionnaires
- Vulnerability assessments
- PCI training and policy development
- Remediation measures and penetration testing
PCI compliance costs vary from a few hundred dollars per year for small businesses to upward of $100,000 per year for large enterprises.
What are the requirements for PCI DSS compliance?
To remain PCI compliant, your company must meet the following 12 requirements:
- Firewall usage. Firewalls minimize the chances that bad actors will access credit card data. As such, they are often the baseline of a rigid cybersecurity plan.
- Antivirus software usage. As with firewalls, antivirus software is fundamental to cybersecurity and thus a key component of PCI DSS compliance.
- Regular software updates. Firewalls and antivirus software offer strong protection, but they weaken every time you fail to update your software platforms.
- Password protection. You should replace your credit card processing systems' initially simple passwords with complex, more secure passwords. You must also keep a running list of all software and devices that require passwords.
- Cardholder data protection. All cardholder data should be encrypted with algorithms. You can set up these algorithms via encryption keys, which themselves must be encrypted. Additionally, you must conduct routine maintenance and primary account number scans to identify and encrypt unprotected data.
- Data transmission protection. Any time you convey cardholder data to known devices such as payment processors, this data must be encrypted. You must never send this data to unknown devices.
- Data access tracking and protection. Only employees who need direct access to credit card information should have it. You must also track all employee interactions with credit card data.
- Unique identifiers. All employees who need credit card information access should have their own login and trackable account.
- Physical security. Even digital data has physical components – namely, servers and hard drives. You must store these devices in a secure and locked location. Paper-based credit card information should be stored similarly.
- Access logging. All access to physical and digital data storage locations should be logged and tracked. On this front, logging software is often more accurate than paper logs.
- Vulnerability testing. PCI compliance involves numerous moving parts, so you must regularly test your security system for potential vulnerabilities. These tests catch human errors and software malfunctions before they accidentally give hackers a backdoor to your data.
- Policy documentation. You must document all of the above PCI compliance infrastructures. This means logging all software and hardware used to access data, alongside when and where the data was accessed and which employee accessed it. You must also document all systems you use for data intake, physical storage and post-sale data.
Don't become a victim of data breaches
Here are some ways to protect your business from data breaches:
- Don't write down credit card numbers. Even though it doesn't relate to digital data, you'll be held liable if you're found to have written down anyone's credit card number. If your business procedures have required you to do so in the past, it's time to improve your process.
- Ensure your credit card processing provider is compliant. If you use a credit card processing solution on your own server that you know is not PCI compliant, it may be time to look into a different processing solution for your system.
- Look for encryption. Cloud-based systems take the important step of removing all customer data from your own server so that, regardless of whether the data is encrypted, you are never held liable for a credit card information breach. And if you aren't sure about the status of your own credit card processing solution (or whether it's on your server or in the cloud), it doesn't hurt to ask your credit card processor or check the web for reviews of the product related to PCI compliance.