PCI DSS overview

Understanding the basics of PCI compliance makes it easier for organizations to be ready to follow the rules faster and without much worry. Here’s what you need to know:

Basics of PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security rules for stores and companies that handle credit card information. It’s overseen by the PCI Security Standards Council (PCI SSC), a group formed by big credit card companies like Visa, MasterCard, American Express, Discover, and JCB.

The history and purpose of PCI DSS

The start of PCI DSS goes back to the late 90s when online shopping began. With more people buying stuff online, there was a big increase in payment fraud. To tackle this, Visa set up its own security rules for online payments in 2001. Other payment companies did the same, making it challenging for stores to meet all the different rules.

As payment fraud continued to increase, big credit card companies like American Express, Discover Financial Services, JCB International, Mastercard, and Visa joined forces. They wanted one set of rules for everyone to follow. This led to the first version of PCI DSS in December 2004. Since then, the rules have changed to keep up with new tech and how people use cards.

How do you become PCI compliant?

To meet the rules, stores, and companies have to do certain things to handle card info safely. There are 12 main things they need to do:

1. Keep the network safe.
2. Set up systems securely.
3. Protect stored card data.
4. Use strong codes to keep card data safe when sending it over the internet.
5. Guard against viruses and other harmful software.
6. Make sure systems and software are safe.
7. Only let people who need to access card data get to it.
8. Know who’s using the system and make sure they’re allowed.
9. Keep physical access to card data limited.
10. Keep track of who’s getting into the system and looking at card data.
11. Regularly check if systems are safe.
12. Have rules and programs to keep information safe.

Now that you know what PCI DSS is about, let’s look closer at how companies make sure they’re following the rules.

What is PCI DSS compliance?

In 2020, a study by the Federal Reserve Bank of San Francisco found that 27% of payments were made with credit cards, the highest percentage since they started tracking in 2016. Debit cards made up 28%, and cash use dropped to 19% from 26% in 2019. Other payment methods, such as ACH payments, bank account number payments, online banking bill pay, and prepaid cards, made up the remaining 26%.

If your company accepts credit or debit cards, you must follow Payment Card Industry Data Security Standards (PCI DSS) to keep customer data safe. This article explains PCI DSS and the rules for protecting your business and customers.

What is PCI DSS & what does it stand for?

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security rules for stores and companies that handle credit card info. The PCI Security Standards Council, a group made by big credit card companies like Visa, MasterCard, American Express, Discover, and JCB, takes care of PCI DSS. These companies make sure everyone follows the rules.

Is PCI DSS a law?

PCI isn’t a law, but rather a mutual agreement among banks processing card payments and major credit card companies. If a store fails to comply with these regulations, the bank could be liable for any breaches, incentivizing them to enforce compliance among their affiliated stores. Non-compliant stores may face fines as a consequence.

In some states, like Nevada, Minnesota, and Washington, parts of the PCI rules are already law.

Is PCI DSS compliance mandatory?

Yes, any business dealing with card data, whether a small shop or a big company, must follow PCI DSS rules. It doesn’t matter how many transactions you handle.

Even if a small business conducts only 100 card transactions annually, it is still obligated to comply with PCI DSS, just like a large corporation processing millions of transactions.

However, how a small business follows PCI rules might differ from how a big company does it.

Who does PCI DSS apply to?

PCI DSS rules apply to any business that deals with card data, whether they accept, handle, store, or send it. It also applies to any organization that could affect how secure card data is.

There are two main types of businesses under PCI DSS: merchants and service providers. Let’s look at what makes each of them different:

PCI DSS for merchants

A merchant is any business that takes payments with a card from one of the big five credit card companies: American Express, Visa, Mastercard, Discover, or JCB.

How a merchant follows PCI DSS depends on their level, which is based on how many card transactions they handle each year. Here are the levels:

1. Level 1: Merchants with over 6 million card transactions annually
2. Level 2: Merchants with 1 million to 6 million transactions annually
3. Level 3: Merchants with 20,000 to 1 million transactions annually
4. Level 4: Merchants with fewer than 20,000 transactions annually

PCI DSS for service providers

A service provider is a business that directly deals with cardholder data on behalf of a merchant, like processing, storing, or sending it. It also includes companies that could affect how secure card data is.

Here are some common examples of service providers:

– Payment processors

– Managed point of sale (POS) providers

– Transaction processors

– Payment gateways

– Web hosting companies

– Third-party marketing firms

– Vendors that maintain POS systems

– Vendors that offer network firewall solutions

Service providers have two compliance levels based on how many transactions they handle:

1. Level 1: Service providers that handle more than 300,000 credit card transactions annually
2. Level 2: Service providers that handle fewer than 300,000 credit card transactions annually

The level of your service provider determines how you prove you’re following the rules. 

For instance, a Level 1 service provider must pass yearly audits by a Qualified Security Assessor (QSA) to show they’re following the rules. However, a Level 2 service provider must only complete an annual Self-Assessment Questionnaire (SAQ D) to prove compliance.

What are the benefits of PCI DSS compliance?

Data breaches can deliver a serious blow to your business and reputation — sometimes they can be fatal. According to research from the National Cyber Security Alliance, 60% of small businesses fold within six months of a data breach.

PCI DSS outlines robust security practices aimed at preventing data breaches. Compliance with PCI DSS is crucial as it is mandated by major card brands such as Mastercard, Visa, Discover, American Express, and JCB.

Proving compliance signals to your customers that you have strong security measures in place to adequately protect the cardholder data you manage. PCI DSS rules help businesses safeguard their operations and reduce the risk of cardholder data loss.

Here are some more reasons why PCI compliance is important for organizations:

Protect your customers’ cardholder data

PCI DSS compliance is crucial because it keeps the cardholder data customers give you safe. As cyber threats change, it’s up to your business to put in place the right security measures to protect this data. PCI DSS gives you guidelines and requirements to follow, so you can make sure your customers’ card data stays secure. This helps your customers trust you with their data and feel confident about doing business with you.

Boosts customer confidence

Being PCI DSS compliant shows your customers that you’re serious about keeping their sensitive data safe. When customers know their card info is secure with you, they’ll feel much better about sharing it.

Provides a baseline for creating a security program

Following PCI DSS is a good way for companies to check how secure they are based on a known set of rules. Since PCI DSS demands a solid security setup, including things like well-set-up firewalls and encryption, antivirus and malware protection, and security policies, sticking to it helps make your business more secure overall.

These security rules mean you need an overall IT security plan. Not only will this help you meet PCI DSS rules, but it can also get you ready for other big security standards like HIPAA, GDPR, and SOC 2.

Mitigates the chances of a data breach 

PCI DSS compliance involves a lot of security steps, such as managing vulnerabilities, using encryption, and regularly checking systems for risks. Following these rules helps your business get ahead of security problems and lowers the chances of a data breach.

What are the consequences of PCI non-compliance?

Companies aren’t legally required to follow PCI standards, but big credit card companies like Visa, Mastercard, and American Express make them mandatory.

PCI DSS compliance is part of a deal between banks and credit card companies. If a company doesn’t follow PCI rules, the bank might fine them. The bank might also ask merchants to be PCI compliant before using their services.

Service providers might have to follow certain PCI rules too, depending on the services they offer to companies that handle card data.

If a company doesn’t follow PCI rules, they might get fined and lose trust from customers.

PCI DSS fines and penalties

Not following PCI DSS rules can lead to hefty fines, potentially costing millions of dollars. The exact amount depends on factors like the size of the business, how many customers are affected, and how long and severe the non-compliance is.

While payment card companies don’t publicly share details about fines for PCI DSS violations, we can estimate the costs by looking at real data breaches and the settlements that followed. Here are some notable examples:

Target – $292 million

In 2013, hackers got hold of data from around 40 million credit and debit cards used at Target stores over the holiday season. The Attorneys General of Connecticut and Illinois led an investigation and found that the hackers got into Target’s system through credentials stolen from a third-party vendor.

Target agreed to pay $18.5 million to settle claims from 47 states and the District of Columbia. They also paid $10 million to settle a class action lawsuit and fines to payment card companies and banks, including:

– $19 million to Mastercard

– $67 million to Visa

– $39.4 million to cover losses and costs for banks and credit unions because of the breach.

Together with legal fees, the total cost of their PCI non-compliance was reported as $292 million in their 2016 annual financial report.

TJX – $256 million

In 2007, TJX revealed that hackers had accessed 46 million credit and debit card accounts in a data breach dating back to 2003. Later, it was found that at least 94 million customers were affected.

TJX had to pay big fines to payment brands, like $41 million to Visa and $24 million to Mastercard. It also settled for $9.75 million in a multi-state case.

After adding up other fines and legal costs, the total price tag for the breach was estimated to be $256 million.

Costs of a data breach

A credit card data breach can end up costing your company a lot of money. You might have to pay for things like forensic investigations, legal fees, audits by the Federal Trade Commission (FTC), notifying cardholders, compensating customers, and even higher fees to banks and payment processors. And that’s not even considering the loss of trust from customers and damage to your brand.

If your company has a breach that involves cardholder data, you’re automatically moved to PCI compliance level 1, no matter how many transactions you handle. Level 1 compliance means you need a full assessment by a Qualified Security Assessor (QSA).

Loss of merchant license

Payment card companies do not directly penalize merchants for non-compliance with PCI rules. Instead, they levy fines on the banks responsible for processing merchants’ credit card transactions, which these banks may then transfer to the merchants.

This means merchants could face more penalties from banks for not following PCI rules. For instance, the bank might raise credit card transaction fees, make audits stricter, or even stop working with the merchant completely. If your merchant license gets taken away, you won’t be able to accept credit card payments anymore.

Additional PCI non-compliance risks

Not following PCI rules can lead to more than just fines. Here are some other risks of non-compliance:

– Individuals affected by a data breach might take legal action.

– Your reputation can suffer, leading to fewer sales and less trust from customers.

– You might face losses from fraud.

CyberArrow GRC offers a solution to streamline the implementation of PCI DSS compliance, putting the process on automation and making it faster and more efficient. With CyberArrow GRC, organizations can achieve PCI DSS compliance in just three weeks, saving time and resources while ensuring robust security measures are in place to protect cardholder data. By automating compliance processes, CyberArrow GRC helps businesses reduce the risk of non-compliance penalties, legal action, and reputational damage. 

Ready to simplify your compliance journey? Schedule a free demo of CyberArrow GRC today!