Visit Security Journey
PCI Compliance

What Is PCI Compliance?

If your organization accepts credit card payments, you should be familiar with PCI DSS compliance. No matter your company size -- or how many credit card transactions you process - you are required to follow PCI compliance standards.These standards are designed to protect the data shared with you by your customers.

Being PCI compliant also protects your business in the event of a data breach. With the increased focus on data privacy and the new privacy regulations enacted every day, PCI compliance plays a big role in your overall cybersecurity program.

The Basics of PCI

PCI DSS is an acronym for Payment Card Industry Data Security Standard. These are rules went into effect in 2006 with the goal to ensure that credit card data is secured in a uniform way. The five major credit card companies – Visa, MasterCard, Discover, American Express and JCB – set up the PCI Security Standards Council to manage and administer PCI DSS.

For purposes of PCI DSS, any business that accepts credit cards is considered a merchant and is subject to PCI rules and regulations.

Merchant Levels

While every merchant that accepts credit card transactions must be PCI compliant, there are different merchant levels -- and PCI requirements -- depending on your annual transaction volume. Each credit card company determines their own exact volume levels, but all generally follow these guidelines:

Level 1: More than 6 million transactions per year (online and regular) or any merchant that has had a data breach

Level 2: Between 1 million and 6 million transactions per year (online and regular)

Level 3: 20,000 to 1 million online transactions per year

Level 4: Fewer than 20,000 online transactions per year or up to 1 million regular transactions

Your merchant level determines what your compliance requirements are under PCI DSS. Smaller merchants can submit self-assessments and complete a quarterly scan with an Approved Scanning Vendor (ASV).

Level 1 merchants are subject to more in-depth compliance requirements, including annual third-party audits and network scans. They must also obtain annual Attestation of Compliance (AOC) and Report on Compliance (ROC).

Security Requirements

In addition to the PCI DSS requirements noted above, there are 12 security goals every merchant must meet to be considered PCI compliant. 

  1. Install and maintain a firewall to protect cardholder data.
  2. Do not use vendor-supplied defaults for passwords or other security parameters.
  3. Provide multiple layers of security defenses to protect stored data.
  4. Encrypt all data transmissions.
  5. Use and update anti-virus software or programs.
  6. Use secure systems and applications. Including training your developers on secure coding strategies.
  7. Limit access to credit card data to only those employees who need it.
  8. Give each person with access to cardholder data their own access ID.
  9. Restrict physical access to cardholder data.
  10. Monitor all access to network resources and card data.
  11. Regularly test security systems and processes.
  12. Create and maintain a security policy.

While meeting PCI requirements can seem like a time consuming and sometimes daunting task – not being PCI compliant can be devastating to your organization.

Not only could you be required to pay hundreds of thousands of dollars in fines, you could also see your card transaction rates increase. Your ability to do business with card processors could also be damaged.

If all that isn't enough, failing to be PCI DSS compliant can make your company more vulnerable to cyberattacks and data breaches. Add in the potential for GDPR and other privacy compliance requirement violations, and you could face even more fines and fees.

Becoming PCI compliance is an integral part of securing your organization and protecting not just credit card data but your organization as a whole.

To learn more about PCI compliance, check out our four part series on strategies that go beyond just ticking the compliance box to strengthen the overall security posture of your organization.