In an age where consumers and businesses alike take their financial security more seriously than ever, there is no better way to build trust in your brand than PCI compliance. Here, we'll explain what that is and show you how to achieve it.
What is PCI compliance?
PCI stands for Payment Card Industry. You may also see the term PCI DSS, which stands for Payment Card Industry Data Security Standard. It is an information security standard mandated by all major card brands, including VISA, Mastercard, American Express, and UnionPay, and administered by the Payment Card Industry Security Standards Council. The standard was created to increase security around cardholder data with the ultimate goal of reducing credit card fraud.
There are four levels of compliance under the PCI DSS, with Level 4 being the lowest and Level 1 the highest.
This applies to merchants that process up to 20,000 VISA or Mastercard transactions per year, or up to 1 million total VISA or Mastercard credit card transactions and have not suffered a data breach or attack that compromised card or cardholder data. Typically, Level 4 merchants must complete a Self-Assessment Questionnaire and have an Approved Scanning Vendor conduct quarterly network scans.
There are four criteria, meeting any of which will categorise your organisation as a PCI Level 3 merchant:
- Process between 20,000 and 1 million VISA e-commerce transactions every year
- Process 20,000 Mastercard e-commerce transactions annually, but less than or equal to 1 million total Mastercard transactions in that same period
- Process between 20,000 and 1 million Discover e-commerce transactions annually
- Process fewer than 50,000 American Express transactions annually
Level 3 merchants are required to validate their PCI status in the following ways:
- Annual Self-Assessment Questionnaire
- Quarterly network scan by an Approved Scan Vendor
- Attestation of Compliance form
Merchants that process between 1 and 6 million VISA, Mastercard and Discover transactions per year qualify are classed as PCI Level 2. This also applies to merchants who process between 50,000 and 2 million sales via American Express, and fewer than 1 million JCB International credit card transactions.
Level 2 PCI merchants don't need a yearly on-site audit by a Qualified Security Assessor or resulting Report on Compliance to demonstrate PCI DSS compliance (these are reserved for Level 1 entities need the audit).
Level 1 merchants are subject to the most stringent requirements. While it's true that businesses who process a large number of transactions are classified as Level 1, it isn't the only criteria. Any merchant or service provider who suffers a compromise of credit card or cardholder data must also meet these requirements regardless of how many payment card transactions they process, store or transmit. As with Level 3, merchants need only meet one of the following criteria to qualify as Level 1:
- Processes 6 million or more VISA, Mastercard, or Discover transactions annually
- Processes 2.5 million or more American Express transactions annually
- Processes 1 million or more JCB transactions annually
- Has suffered a data breach or cyberattack that resulted in a compromise of cardholder data
- Has been identified by another card issuer as Level 1
If any of the above criteria are met, companies must perform a series of actions to validate their compliance with the PCI DSS. These are:
- An annual report on compliance (ROC) by a qualified security assessor or internal security assessor
- A quarterly network scan by an approved scan vendor (ASV)
- Submission of completed Attestation of Compliance form
Finally, merchants must report the audit results to their "acquiring bank", defined as an "entity, typically a financial institution, that processes payment card transactions for merchants and is defined by a payment brand as an acquirer. Acquirers are subject to payment brand rules and procedures regarding merchant compliance."
Why should I ensure that my business is PCI compliant?
Customers rely on you to handle their sensitive data with the utmost care. They trust that their payment details are processed and transmitted securely, and that the items they receive are the the items they purchase. PCI compliance is an internationally recognised standard for secure payments that builds and protects your business's reputation.
Processing and storing sensitive customer data comes with a number of key considerations. When PCI compliant, businesses are subject to more stringent regulations regarding the strength of their firewalls and data encryption. Likewise, they are not permitted to retain cardholder details. By sticking to these rules, you'll make it much more difficult for cyber-criminals to gain unauthorised access to your network. And even if they do manage it, there won't be any sensitive data for them to find.
As previously stated, PCI compliance is an internationally recognised data security standard. By achieving it, your business will join the ranks of other companies around the world who are just as committed to data security as you are.
In order to be PCI compliant, you need to have multiple layers of security. A lack of firewalls, or improperly configured ones, can leave your business wide open to cyber attacks and puts not only your customers' data at risk, but that of your all your stakeholders as well. So, make sure your cyber security is in tip-top condition. You also need to ensure your IT security strategy continuously develops and threats become apparent. Keep an eye out on your own network for vulnerabilities and potential backdoors. Remember: there's no such thing as bug-free software - with each software update comes the potential for new vulnerabilities cyber-criminals can (and will) exploit.
Regardless of which level you need to meet when achieving PCI compliance, you'll need to take important steps to protect consumer data. Some of the basic requirements of PCI compliance require taking action to limit the amount of sensitive data that you store. This dovetails well with the rules set out by the General Data Protection Regulations (GDPR).
How do I become PCI compliant?
1. You should see this screen. Click on the "Manage" button circled in red in the screenshot below.
3. Finally, move onto Tidypay's security assessment.