Skip to main content

Understanding data security requirements is necessary for any retailer when accepting card payment methods. However, the biggest challenge of Payment Card Industry Data Security Standard (PCI DSS) for store owners is that it’s an exceedingly complicated and technical topic. You may feel overwhelmed when researching more information about the security standard and its requirements. If you’re new to this standard and looking for an overview, this PCI compliance guide will get you up to speed.

What is PCI compliance?

PCI compliance is a set of proprietary standards and payment security best practices issued on September 7, 2006, by the Security Standards Council including 5 members:

  • MasterCard
  • Visa
  • American Express
  • JCB International
  • Discover Financial Services
PCI DSS compliance overview

These policies are designed to ensure that a customer’s credit card is safe and secure, with the goal of minimizing any potential breach of data by hackers or criminals throughout transaction processes. By being PCI compliant, you contribute to an international payment card data security measurement to maintain a secure environment for participating companies.

What are the business benefits of PCI compliance?

Doing business in retail means that fraud is probably happening somewhere, like someone using stolen credit cards to make purchases. Many retailers spend plenty of valuable time reviewing data from POS terminals to look for cardholder data breaches. When complying with the PCI SSC, you have an ongoing process that prevents theft of payment card data now and in the future. This leads to long-term benefits:

  • Improve enterprise security and the efficiency of your IT infrastructure
  • Improve your reputation with payment brands, acquirers, and purchasing partners
  • Increase customer trust and repeat purchases
Benefits of PCI compliance

Who needs to be PCI compliant?

PCI DSS applies to ALL companies that accept, store or transmit any cardholder data, regardless of your transaction volume and business size. Here are some PCI compliance frequently asked questions:

Does PCI DSS still apply to my company if I only accept credit cards over the phone?

Yes. Remember that all businesses that accept card payment methods must comply with PCI DSS. Otherwise, in the event that your company’s data is breached and your customer information is vulnerable, you’ll be held liable.

Will PCI compliance apply to my company if we don’t store any credit card data?

If you accept debit or credit cards as payment methods, PCI compliance still applies to your company. It’s just easier to become compliant in case you don’t store card data. While you don’t store card data, you’ll still need to prove your status (not handle cardholder data) in a SAQ form. We’ll explain it in the next part.

PCI compliance guide frequently asked questions

What are the penalties for non-compliance?

Although PCI DSS isn’t part of any law, it’s a series of regulations used worldwide, which comes with specific costs and penalties for companies that fail to apply the requirements. For PCI compliance violations, payment brands can fine your acquiring bank $5,000–100,000/month at their discretion.

  • Your bank will pass this fine to you in the end.
  • In addition, the bank may either increase transaction fees or terminate its relationship with your business.

Those penalties aren’t widely publicized and discussed, but they can be disastrous for any business. Thus, you need to keep track of your risk exposure for such cases in your merchant account agreement.

How to achieve PCI compliance

Step 1. Understand 12 PCI compliance requirements

To achieve the PCI compliance certification, you need to comply with 12 requirements, which are spread across 6 broader objectives. Please note that they are general requirements for all merchants, regardless of business sizes and transaction volumes.

12 PCI DSS Requirements

Goals

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Build and maintain a secure network

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Protect cardholder data

5. Use and regularly update anti-virus software or program
6. Develop and maintain secure systems and applications

Maintain a vulnerability management program

7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Implement strong access control measures

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Regularly monitor and test networks

12. Maintain a policy that addresses information security for all personnel

Maintain an information security policy

Step 2. Identify your business level of compliance

PCI compliance levels

There are 4 levels of compliance depending on the volume of your annual transactions. By convention, merchants at level 4 handle the smallest number of annual transactions, and merchants at level 1 handle the largest number of annual transactions:

  • Level 4: Under 20,000 transactions per year
  • Level 3: 20,000 – 1 million transactions per year
  • Level 2: 1 million – 6 million transactions per year
  • Level 1: Over 6 million transactions per year

We’ll clarify different requirements for merchants of each level in step 3.

PCI compliance for merchants

Step 3. Complete a Self-Assessment Questionnaire

The main difference lies in the requirements for the certification of each level. While the level 4 certification only requires a self-assessment, the level 1 certificate requires an audit handled by a Qualified Security Assessor (QSA).

If you are a Level 2, 3, or 4 merchant or service provider:

  • You’ll need to complete a Self-Assessment Questionnaire (SAQ) to assess the security of cardholder data. It includes a set of YES/NO questions for the PCI-DSS requirements.
  • After completing the SAQ, you need to fill out the Certificate of Compliance (AOC), which is a form that attests to the results of a PCI compliance assessment.

If you are a Level 1 merchant or service provider:

  • You need an additional document called a Report of Compliance (ROC)
  • At level 1, both the AOC and ROC need to be performed by a PCI QSA certified after a PCI compliance audit.

You can find templates of all current PCI DSS on the PCI Security Standards Council website.

PCI compliance assessment

At this step, you might find that your business fails some requirements. If so, you’ll have to make necessary changes and improvements to your cardholder data security environment. When it’s done, you can start taking the SAQ again.

How much does PCI compliance cost?

After submitting all the document applications, you need to wait for the review process and prepare for the PCI DSS compliance cost. This cost varies by many factors, including:

  • Environment structure and networking technologies
  • Cardholder data and transaction volume
  • Risk levels
  • Number and types of systems
  • Number and types of devices
  • Number of staff members, processes, and departments
  • Business type and levels
  • Security culture

Level 2, 3, or 4 business

Level 1 enterprise

Onsite audit

No

$40,000

Self-Assessment Questionnaire

$50—200

No

Vulnerability scans

$100—200/IP address

$1,000

Penetration testing

No

$15,000

Training and policy development

$70/employee

$5,000

Remediation (hardware and software updates)

$100—10,000

$10,000—500,000

Total

$320+

$71,000+

How to conduct and pass PCI compliance scans

After having PCI certification, you need to take frequent PCI vulnerability scans for vulnerabilities and security threats in your application. PCI scanning protects you from some of the most common web application attacks, including:

  • SQL Injections — an unauthorized insertion of a SQL query into your application and website. From there, attackers can read confidential data from the database, perform malicious operations, or modify the underlying data.
  • Cross-site scripting (XSS) — the most common vulnerabilities in applications and websites, which allows attackers to execute scripts in a customer’s browser. It redirects your customers to a malicious website or carries out violation activities like stealing cookies.
PCI compliance scan

The PCI compliance scan represents requirement 11 of the PCI DSS standard, which focuses on network and application security. According to the requirement, you must run scans at least every 90 days and need to hire PCI Approved Scan Providers, or Approved Scanning Vendors (ASVs) to conduct your PCI compliance scans. Based on the scan results, you can create reports for certification and submit this summary to your acquiring banks directly via your vendor’s scanner system.

  • For failed scans, you need to immediately resolve all identified issues.
  • Within these 90 days, whenever you change something in your sites and apps (fix previously detected issues, install new hardware, or update firewall), you’ll need to rerun the scan to ensure there isn’t any new security risk.
  • If you do not conduct regular PCI scans, you will be fined and may be unable to to accept credit cards due to losing your merchant status.
PCI compliance scan report

Performing regular PCI compliance scans may require a lot of your business resources. However, it’s better than being attacked. Your company will lose its reputation and financial status, especially closing your business for legal issues.

Is it possible to be outside the scope of PCI compliance?

You may find that getting certified and compliant with PCI requirements leads to many struggles. Many merchants complain it’s too hard and too expensive.

The good news is that you can get rid of this whole certification process and paperwork by choosing a PCI DSS-compliant payment provider. It means that your payment service provider processes the whole payment transaction, so you won’t touch the customer’s card details. In other words, they take care of your PCI compliance burden.

Thus, most store owners prefer to work with payment providers because they don’t have to deal with all the PCI issues.

Choose a PCI DSS compliant payment provider

Your payment service provider will charge you a fee in exchange for services that help you meet PCI compliance requirements, including data breach insurance and security scans. Fees will vary from provider to provider:

  • The most common way is charging an annual fee of $99–199 in January or February.
  • Some providers will require a small monthly fee.

Conclusion

In a nutshell, PCI DSS compliance applies to all merchants that accept card payment methods to protect the security and privacy of sensitive card data. Remember that PCI compliance doesn’t take into account the size of your business or the transaction volume.

The road to PCI compliance can be technically complicated, but it’s worth the long road if you want to protect your customer data and your own reputation, which ensures your business grows in the future. The most important thing is retailers can choose a payment provider with PCI compliance, so you don’t have to obtain the compliance certification yourself.

Irene Luong

Author Irene Luong

More posts by Irene Luong

Leave a Reply