If your organization accepts credit card payments, you should be familiar with PCI DSS compliance. No matter your company size -- or how many credit card transactions you process - you are required to follow PCI compliance standards.These standards are designed to protect the data shared with you by your customers.
Being PCI compliant also protects your business in the event of a data breach. With the increased focus on data privacy and the new privacy regulations enacted every day, PCI compliance - and PCI developer training - plays a big role in your overall cybersecurity program.
The Basics of PCI
PCI DSS is an acronym for Payment Card Industry Data Security Standard. These are rules went into effect in 2006 with the goal to ensure that credit card data is secured in a uniform way. The five major credit card companies – Visa, MasterCard, Discover, American Express and JCB – set up the PCI Security Standards Council to manage and administer PCI DSS.
For purposes of PCI DSS, any business that accepts credit cards is considered a merchant and is subject to PCI rules and regulations.
While every merchant that accepts credit card transactions must be PCI compliant, there are different merchant levels -- and PCI requirements -- depending on your annual transaction volume. Each credit card company determines their own exact volume levels, but all generally follow these guidelines:
Level 1: More than 6 million transactions per year (online and regular) or any merchant that has had a data breach
Level 2: Between 1 million and 6 million transactions per year (online and regular)
Level 3: 20,000 to 1 million online transactions per year
Level 4: Fewer than 20,000 online transactions per year or up to 1 million regular transactions
Your merchant level determines your compliance requirements under PCI DSS. Smaller merchants can submit self-assessments and complete a quarterly scan with an Approved Scanning Vendor (ASV).
Level 1 merchants are subject to more in-depth compliance requirements, including annual third-party audits and network scans. They must also obtain annual Attestation of Compliance (AOC) and Report on Compliance (ROC).
There are 12 security goals every merchant must meet to be considered PCI compliant.
- Install and maintain a firewall to protect cardholder data.
- Do not use vendor-supplied defaults for passwords or other security parameters.
- Provide multiple layers of security defenses to protect stored data.
- Encrypt all data transmissions.
- Use and update anti-virus software or programs.
- Use secure systems and applications, including secure coding training for your developers.
- Limit access to credit card data to only those employees who need it.
- Give each person with access to cardholder data their own access ID.
- Restrict physical access to cardholder data.
- Monitor all access to network resources and card data.
- Regularly test security systems and processes.
- Create and maintain a security policy.
While meeting PCI compliance requirements can feel like a time consuming and sometimes daunting task – not being PCI compliant can be devastating to your organization.
Not only could you be required to pay hundreds of thousands of dollars in fines, you could also see your card transaction rates increase. Your ability to do business with card processors could also be damaged.
If all that isn't enough, failing to be PCI DSS compliant can make your company more vulnerable to cyberattacks and data breaches. Add in the potential for GDPR and other privacy compliance requirement violations, and you could face even more fines and fees.
Becoming PCI compliance is an integral part of securing your organization and protecting not just credit card data but your organization as a whole.
To learn more about PCI compliance and the importance of PCI developer training, check out our four part series. It offers in-depth strategies to take you beyond checking the compliance box to strengthen the overall security posture of your organization.