If your company accepts credit cards or debit cards as payment for goods or services, you need to be compliant with Payment Card Industry Data Security Standards (PCI DSS). The most recent Nilson report quantified the total global losses due to credit card fraud in 2019 to be 28.65 billion dollars. FICO’s investigations show that, while credit card companies have tightened their security systems during COVID-19, credit card fraud continues to be a huge problem. Those committing fraud and coordinating phishing attacks are becoming increasingly creative and technically savvy, leading companies to devote extra resources to strengthening security during COVID-19. PCI compliance is crucial for maintaining relationships with your payment card brands and acquiring banks, avoiding hefty non-compliance fees, and protecting your clients’ payment information. Read on to learn how to be PCI compliant — we’ll cover the basics about PCI compliance and present you with a simple 9-step guide for becoming and staying compliant.
What Does It Mean to Be PCI Compliant?
PCI compliance is compliance with the Data Security Standards (DSS) set by the Payment Card Industry Security Standards Council (PCI Council). The PCI Council is a coalition of the five largest credit card companies (American Express, Discover Financial Services, JCB International, Mastercard and Visa); the council originally convened to combat credit card fraud in the early 2000s when online purchases were just becoming the norm. PCI DSS was created in December, 2004 to help standardize practices around the treatment of cardholder data and to strengthen cybersecurity protections whenever a consumer’s credit card information was transmitted, processed, or stored. PCI DSS has aimed to stay up to speed with new cybersecurity issues as they have arisen and has followed the evolution of mobile transactions, contactless payment, virtual cards, and more. The PCI Council is not responsible for monitoring compliance; payment card brands individually determine how to handle non-compliance.
Who Is PCI Compliance for?
Any organization that will be accepting payment via credit card, will be processing customers’ personal payment information, or storing credit card data needs to be PCI compliant. If you accept credit cards for payment for goods or services directly, through mobile card processors like Square or Clover, or through POS platforms like Toast, you would benefit from a thorough review of your payment card practices and regular audits assessing your PCI compliance.
How to Become PCI Compliant: 9 Steps You’ll Need to Follow
Understanding how to be PCI compliant does not have to be overwhelming, but the details will differ depending on the size and context of your organization. Here is a basic 9-step guide to becoming and staying PCI compliant:
Step #1: Determine Your PCI Compliance Level
PCI has determined different levels depending on how many credit card transactions a company handles annually. You’ll want to determine your organization’s level before beginning PCI compliance assessments, because the level will determine whether your organization qualifies for any of the self-assessment questionnaires (see step 3) and what actions need to be taken to become PCI compliant. The levels are as follows:
- Level 1: Over 6 million transactions annually.
- Level 2: 1 to 6 million transactions annually.
- Level 3: 20,000 to 1 million e-commerce transactions annually.
- Level 4: Fewer than 20,000 e-commerce transactions annually or any merchant processing up to 1 million visa transactions annually.
It’s notable that American Express uses different transaction numbers to delineate their PCI levels, and defines a Level 1 merchant, for example, as processing over 2.5 million American Express card transactions annually.
Step #2: Create a PCI Compliance Team
Convene a PCI DSS committee or team designated to keep track of your organization’s PCI compliance needs. Designate members of the committee to take on different PCI DSS compliance roles, like PCI compliance project manager; since the payment cards industry has so many facets, take an interdepartmental approach. Involve staff from the IT team, data security, finance, and legal; a group with diverse perspectives will develop a robust understanding of PCI compliance together.
Step #3: Complete the Self-Assessment Questionnaire
Depending on the size of your company, you may want to start out with a self-assessment questionnaire (SAQ) — PCI offers a chart that outlines which questionnaire to take depending on how your company processes card payments. Some larger organizations will not qualify for the self-assessment and instead need to use a third-party audit to show compliance. The SAQ or third-party audit will culminate in documentation that can be submitted to payment card brands to demonstrate PCI compliance or a plan to achieve compliance.
Step #4: Secure Your Network
A firewall ensures that there is a secure boundary between transactions and communications internal to your organization and those that originate outside of the organization. Installing a firewall — and making sure all card readers and third-party vendors have firewalls in place — is a crucial step to preventing data breaches. Some credit card processors come with a pre-installed firewall, but are careful to acknowledge that merchants are ultimately responsible for ensuring their own PCI compliance. Don’t assume your organization is PCI compliant just because your partners or service providers are.
Step #5: Strengthen Passwords
Ensure all passwords are changed from defaults automatically generated upon the creation of accounts, and that your operating system only allows users to create passwords that adhere to IT best-practices. If you’re looking for solid standards on password creation, the National Institute for Standards and Technology (NIST) has updated their password standards for 2021.
Step #6: Implement Access Controls
Only employees and partners who absolutely need to access credit card data should have it. Cardholder data should only be available through certain devices and user accounts, and all access should be properly authenticated. Employees should each have unique user IDs to log-in to your IT system; log their activity and restrict access to employees who are directly involved in managing credit card transactions and accounting.
Step #7: Encrypt Cardholder Data
Cardholder data should always be encrypted when it is being transmitted — either internally or externally. Your company should invest in proper encryption tools when charting how to prevent cybersecurity breaches; the right tools will ensure that card numbers cannot be identified when the data is in motion. PCI doesn’t endorse any particular product, but does offer a search tool for finding point-to-point encryption (P2PE) solutions.
Step #8: Protect Stored Data
In PCI Compliance, cybersecurity specialists Anton A. Chuvakin, Branden R. Williams, and Derek Milroy joke that the best way to protect your cardholders’ data is not to store it at all. However, if you are storing credit card data, whether that’s for their own future purchases or short-term accounting needs, make sure that data is locked down. Protecting stored data includes taking measures to protect access to physical devices and servers, regularly monitoring firewalls, and keeping close watch for any suspicious activity on network logs.
Step #9: File Paperwork with Payment Card Brands
As part of the SAQ process, PCI automatically generates an Attestation of Compliance (AoC). An AoC can be used to demonstrate to credit card companies and banks that you have taken the proper steps to ensure PCI compliance. If you are audited by a third-party Qualified Security Assessor, they will prepare a Report of Compliance (RoC) to share with credit card companies and banks. All major credit card companies require sellers and vendors to maintain PCI compliance and assess a monthly or annual fee to cover the costs of compliance from their end.
How Much Does It Cost to Be PCI Compliant?
The cost of maintaining PCI compliance is very little compared to the costs of being non-compliant, but it can still be a pricey endeavor. The costs will depend upon the size of your organization and your PCI level. The credit card companies and banks that you partner with typically assess an annual or monthly PCI compliance fee, which will be approximately $10 per month ($120 per year), and the costs for audits will depend on whether your company is eligible for the self-assessment questionnaire (SAQ). For smaller organizations, PCI compliance costs can be as low as $1000 per year and for larger, more complex organizations with a higher number of credit card transactions per annum, costs can be in the tens of thousands. PCI compliance fees are used by payment card brands to help merchants maintain compliance, mitigate data breaches when they do occur, and contribute to the development of PCI DSS.
What Happens If I Don’t Comply with PCI DSS?
While PCI compliance can be costly, it is much less than the costs of a data breach. According to a 2020 report by the Center for Strategic International Studies (CSIS) and McAfee, cybercrime cost companies upwards of 1 trillion dollars in 2020. Credit card fraud and credit card data breaches are extremely costly to both providers and consumers — Equifax settled its 2017 cardholder data breach for $575 million with the FTC, Consumer Financial Protection Bureau and 50 US states. While your organization is unlikely to face a data breach of this magnitude, IBM estimates the average cost of a data breach to be $3.86 million dollars.
Even if you avoid a data breach, PCI non-compliance will cost your company money. Depending on the non-compliance fees of the particular payment card brand, the period of non-compliance, and your PCI level, the fees can be significant. American Express, for example, states that data incidence non-compliance could cost a company a fee “not exceeding $100,000 a month.” Visa states that the merchant’s acquiring bank is responsible for any PCI non-compliance fees and penalties; however banks typically pass the fine along until it still becomes the responsibility of the merchant. Penalties can also prevent your organization from processing card payments and your acquiring bank may sever ties. Vendors, banks, and customers may also lose trust in your company — that lost trust can lead to lost customers, lost partnerships, and lost profits. Ultimately, it pays to know how to be PCI compliant.
Bottom Line: Start Getting Help Today
Learning how to be PCI compliant can be challenging, especially if your organization hasn’t started the process or finds itself scaling up and entering a higher PCI compliance level. It helps to invest in software that keeps track of the details, freeing up time and resources for the decisions that are most important to your company. AuditBoard’s compliance software can help you keep track of your SAQs, audits, and documentation, as well as PCI compliance fees and schedules. Get started with our compliance management software today to streamline your PCI compliance journey, make sure you’re keeping track of fees, minimizing your costs, and protecting your clients’ credit card data.
