PCI DSS Requirements are standards that were implemented by the five largest credit card companies (Visa, MasterCard, Discover, American Express, JCB) to help reduce costly consumer and bank data breaches.
Around 2006 the role of technology in the workplace changed drastically as the Internet became a vital tool for success to businesses of all sizes. Companies began pushing their products online to increase revenues through various ecommerce platforms.
However, as consumers grew more comfortable using credit cards through an online payment application, the liability of a data breach increased drastically because access to cardholder data was available on public networks.
In response, the credit card companies formed the Payment Card Industry Security Standards Council and set the industry data security standard PCI DSS. These requirements allow for businesses to safely and securely accept, store, process, and transmit card information during a credit card transaction to prevent fraud and data breaches through a payment gateway.
Is PCI compliance a law?
The simple answer is no. While some states have laws that incorporate components of the PCI Data Security Standards, there is no Federal Law that requires you to do so.
Even though there is no Federal Law for a PCI data security standard pci, if your business accepts debit cards or credit card processing from any of the five PCI SSC cards branded above, then you must abide by PCI security standards. Ignoring to do so could result in fines from $5,000 to $100,00 per month to your acquiring bank. The banks will often charge this cost to the merchant account and can terminate contracts or increase fees for transactions in response to breaches and violations.
Other penalties for noncompliance include an increased risk to the financial information of your business and customers as well as fraud losses, termination of the ability to accept credit cards, and even a decrease of sales as a result of lost confidence by customers.
Who is responsible for PCI compliance?
Each individual business is responsible for their PCI compliance. The PCI Security Standards Council created the PCI DSS Self-Assessment Questionnaire which is used for sellers to self-validate their compliance.
A merchant processing over 6 million credit or debit card transactions annually (level 1 merchants) must have an onsite data security assessment by Qualified Security Assessors. However, it is not uncommon for Level 2 or Level 3 merchants to schedule audits because they’re just too big to become PCI compliant by themselves efficiently.
For small merchants, these services may be paid for by their acquiring bank as part of their compliance program – or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS compliance audit. The audit could be done by external or internal security assessors and would ensure you have secure systems and applications. But, if your payment processing is less than 20,000 Visa or MasterCard transactions per year, it most likely doesn’t make sense to pay for an onsite audit.
It is always a good idea to put your money towards internal security. As network resources are becoming an essential part of a collaborative work environment. But, this also means that company information is easier to access, thus more at risk of being stolen. To remain PCI DSS compliant, your company needs to put in place the proper internal controls on your systems and processes.
How to Comply with PCI DSS
While there is no such thing as a “PCI certification” sellers, service providers, financial institutions, and organizations of all sizes need to prove that they are PCI compliant.
The PCI Security Standards Council created the PCI DSS Self – Assessment Questionnaire, which is used for sellers to self-validate their compliance. Compliance requires this evaluation to be submitted each year. This document includes a series of yes or no questions for each applicable PCI Data Security Standard requirements.
The payments security landscape is not just limited to cyber hackers. Many of these restrictions focus on the digital realm, leaving many business owners to overlook the risk of physical access to cardholder data.
Your physical access to devices and systems that hold cardholder data should be restricted. Without any security, it’s easy for anyone to get a hold of sensitive data, even employees.
With so many rules and stipulations, maintaining PCI compliance can be complicated. Many companies hire an Internal Security Assessor ISA sponsor company who are certified through the Council.
The employees of these organizations have undergone extensive training and can act as a resource library when it comes to PCI Data Security Standards, application security, and stored cardholder information.