What is PCI compliance?
ISO 27001. PAS 555. GDPR. Presented as a series of seemingly random codes, it’s easy for today’s common compliance standards to go straight over most people’s heads.
However, if you have a business that takes card payments – whether that’s face-to-face, online or over the phone – the one acronym you really need to pay attention to is PCI DSS.
PCI DSS (the Payment Card Industry Data Security Standard) is a set of controls designed to help businesses process card payments securely, reduce card fraud, and ensure that customers’ card details are protected.
So, how do you adhere to the standard – what is PCI DSS compliance? Well, it simply means falling in line with a set of 12 requirements and being able to prove that you’re meeting them.
Compliance isn’t optional. All merchants and service providers who process, transmit or store cardholder data must meet the criteria or face the consequences. Therefore, it’s worth getting to know the full set of requirements as listed on the official PCI site.
But first, let us address a few key questions: why did PCI DSS first come about; why is it beneficial; what are its various levels; and what is the PCI non-compliance fee?
The history of PCI compliance
PCI DSS is a worldwide standard that was formed by the major credit card associations: American Express, Discover, JCB, Mastercard and Visa.
Of these brands, Visa was the first to attempt to establish a set of security standards for businesses accepting payments online in the late 1990s. Mastercard, American Express and Discover quickly followed suit and founded their own security principles – but merchants soon found handling multiple regulations confusing, so demand for a common set of standards grew.
With fraud on the rise, the credit card associations had to take action, so they collaborated to form the PCI DSS in 2004.
Administered and overseen from 2006 onwards by yet another acronym – the PCI SSC (Payment Card Industry Security Standards Council) – the unified set of rules enforces tight controls to protect both businesses and consumers.
How PCI compliance is beneficial for both businesses and customers alike
For many businesses, the PCI DSS requirements can be perceived as being onerous and expensive. But the fact is that compliance is worth the effort – and the benefits are significant:
- Reduces the risk of data breaches
With today’s increase in compliance programmes, you’ll undoubtedly ask yourself if PCI DSS actually provides any real value – or if it’s just part of another box-ticking exercise. The good news here is that the standard achieves exactly what it set out to do: it reduces the risk of data breaches. With requirements for things like firewalls and encryption, the controls ensure all businesses tighten up their security.
- Helps you avoid expensive fines
Following a data breach, card brands will investigate your business’ level of compliance and they’ll interrogate the bank you use too. If you are found to be non-compliant, fines and penalties will apply, ranging anywhere from $5,000-$100,000 per month, depending on the circumstances. These fines are passed to you from the bank via high transaction fees or service charges. PCI DSS compliance helps to avoid all of this.
- Protects customers’ sensitive data
With more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records in the first six months of 20191, data privacy concerns among consumers have never been higher. In fact, in the UK alone, 44% of customers will hesitate to do business with a breached entity for several months, and 41% will never return. The benefit of PCI DSS is that it helps to protect your customers’ sensitive data – and the increased security instills confidence in your customers, therefore improving your brand’s reputation.
- Simplifies global regulatory compliance
PCI DSS is one of the only truly globally accepted security frameworks – which means you don’t have to worry about a different country’s security standards if your business operates around the world. This helps you save an immeasurable amount of time and money in ensuring compliance.
- Provides peace of mind for everyone
Your business has plenty of other goals to achieve, concerns to address, and processes to manage, without having to worry about card payment compliance. Therefore, knowing that you’ve taken the correct security measures can help to achieve peace of mind in this area. And with breaches less likely to happen, your customers will appreciate the reassurance too.
What are the levels of PCI compliance?
There are four levels – or tiers – of PCI DSS compliance. The level that applies to you as a merchant depends on the volume of payments you process every year:
- Level 1
Your business processes over 6 million card transactions annually through all channels (card present, card not present, and eCommerce).
- Level 2
Your business processes 1 to 6 million card transactions annually through all channels.
- Level 3
Your business processes 20,000 to 1 million card transactions annually – exclusively via eCommerce.
- Level 4
Your business processes up to 1 million card transactions annually through all channels – and/or does not process more than 20,000 card transactions annually exclusively via eCommerce.
Each level has its own specific requirements – including completing annual reports, undergoing network scans, filling out forms, and answering questionnaires – and you must meet the ones that apply to you.
Most small to medium sized businesses will fall under the level 4 category, however, it’s worth checking with a service provider such as Sage Pay – who can guide you through the process.
What are the consequences of not being PCI compliant?
In addition to the potential fines mentioned earlier in this article, there are several other consequences of not being PCI compliant.
As well as your business’ own penalties, you may have to compensate your clients too with things like credit card monitoring and identity theft insurance. And if you breach a PCI compliance level requirement, you may face additional PCI charges every month – for example, if you are currently classified at Level 4, you might now have to meet Level 1 standards.
However, aside from the obvious financial impact, an even bigger concern is the damage to your business’ reputation and loss of customer trust. In extreme cases, this damage can be irreversible – impacting profits and ultimately preventing business growth. And at the harshest end of the punishment scale, non-compliance could even see your business being barred from accepting cards altogether.
With these consequences in mind, you can clearly see the importance of being PCI DSS compliant – so why not speak to us today to learn how Sage Pay can support you.