What Is PCI Compliance?

What Is PCI Compliance?

If you are a business owner who wants the ability to accept credit card payments, you have probably stumbled across the term “PCI compliance” in your research. You probably already know that PCI compliance is important, and that it has something to do with protecting the credit card data of your customers. Considering the fines associated with PCI non-compliance–up to $100K–as well as the cost of data breaches in general–an average of $3.86 million in the U.S.–PCI compliance is indeed important from a moral as well as a financial standpoint. Fortunately, the requirements for PCI compliance are clearly outlined for the business owner’s ease of use. The ultimate goal of PCI compliance is the protection of credit card data for everyone.

History of PCI Compliance

In 2006, the five major credit card brands–Visa, MasterCard, Discovery, American Express, and JCB (Japanese Credit Bureau)–got together to form the Payment Card Industry Security Standards Council (PCI SSC) with the goal of standardizing data security regulations in the credit card industry. For years, the brands had been operating under their own, sometimes conflicting data security compliance programs. So they developed the Payment Card Industry Data Security Standard (PCI DSS), a standard on which they all agreed to administer.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve requirements that all companies who accept, process, store, or transmit credit, debit, or pre-paid card information, regardless of size or transaction volume, must observe. These twelve requirements cover six goals as laid out by the PCI SSC. They are as follow:

Goals Requirements
Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need to know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel

Taken from: pcisecuritystandards.org.

What Is PCI Compliance?

Compliance with PCI DSS involves meeting the twelve requirements listed above, and is the sole responsibility of any company who accepts, processes, stores, or transmits credit, debit, or pre-paid card information. Compliance is enforced by the five major credit card companies and the bank of the company in question. To satisfy these requirements, companies must annually:

  1. Determine which level of merchant they are based on their transaction volume*
  2. Either receive an audit from a Qualified Security Assessor (QSA) or take a Self-Assessment Questionnaire (SAQ) depending on the results of step 1
  3. Pass a quarterly vulnerability scan from an Approved Scanning Vendor (ASV)
  4. Complete an Attestation of Compliance (located in the SAQ)
  5. Submit their completed SAQ, evidence of passing their vulnerability scans, Attestation of Compliance, and any additional, requested documentation to their bank

*According to Visa, merchant levels are determined using the metrics below:

Merchant Level Description QSA or SAQ
1 Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region QSA or SAQ completed by an Internal Security Assessor (ISA)
2 1 to 6 million Visa transactions annually across all channels SAQ
3 20,000 to 1 million Visa e-commerce transactions annually SAQ
4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually SAQ

If a company is found to be non-compliant, a credit card brand may fine their bank from $5K to $100K per month. The bank will likely pass this fine along to the company and terminate their relationship with the company and/or increase their transaction fees.

All of the information a company needs to ensure PCI compliance can be found through the Payment Card Industry Security Standards Council. Compliance with the Payment Card Industry Data Security Standards is something that all companies who want the ability to accept credit card payments must achieve for the protection of their customers. If you are ready to get started processing credit cards with PCI compliance in mind, partner with Cornerstone Credit Services as your merchant services provider. At Cornerstone, we are committed to protecting you, your company, and your customers against data attacks. We will have you up and running securely in no time!

Not sure where to start?

Scroll to Top