Planet

What is PCI compliance?

PCI compliance refers to implementing and maintaining the data security requirements set out by the Payment Card Industry Data Security Standard (PCI DSS). This set of rules is specifically designed to protect sensitive cardholder data when processing card transactions.

PCI DSS is managed and overseen by the PCI Standards Security Council (PCI SSC), a body made up of five of the world’s largest payment processing brands: Mastercard, Visa, American Express, Discover, and JCB International.


PCI compliance, at a glance:

  • PCI DSS requirements apply to any entity that processes, transmits, or stores sensitive cardholder data and/or account information.
  • Although the PCI DSS is not a law, merchants that fail to comply increase the risk of data breaches and face severe penalties from credit card companies.
  • To monitor and maintain PCI DSS compliance, many companies either employ an in-house compliance expert or work with a third-party compliance services firm.
  • Maintaining PCI DSS compliance involves routine auditing, either through self-assessment questionnaires or on-site assessments by a qualified assessor.
  • Larger companies that process a higher volume of annual card transactions are subject to more stringent auditing and testing than smaller businesses with fewer than 1 million transactions per year.

*Further reading: PSD3: what is it and what is the difference with PSD2?

Key components of PCI compliance
To whom does PCI compliance apply?
PCI DSS applies to all companies and organisations that handle cardholder data and/or other sensitive information influencing cardholder data security. This includes:

  • Merchants that accept card payments either in-person or online
  • Payment processors like Square or PayPal
  • Card networks like Visa and Mastercard
  • Issuing banks (i.e., the customer’s bank)
  • Acquiring banks (i.e., the merchant’s bank)

Types of data applicable
Any entity that processes transmits, or stores the following information is subject to the requirements set out in the PCI DSS:

  • Cardholder data (CHD)
  • Primary account number (PAN)
  • Cardholder name
  • Expiration date
  • Service code
  • Sensitive authentication data (SAD)
  • Magnetic stripe or chip data
  • Card verification code
  • PINs/PIN blocks

Objectives and requirements
The PCI DSS is continually assessed and updated as technology advances and cardholder behaviour changes. As explained in the PCI DSS v4 Quick Reference Guide (PDF), PCI DSS has six key goals. For each goal, PCI DSS specifies what’s required in order to achieve that goal.
 
The goals and requirements are as follows:
 
1. Build and maintain a secure network and systems

  • PCI DSS requirement: Install and maintain network security controls
  • PCI DSS requirement: Apply secure configurations to all system components

2. Protect account data

  • PCI DSS requirement: Protect stored account data
  • PCI DSS requirement: Protect cardholder data with strong cryptography during transmission over open, public networks

3. Maintain a vulnerability management program

  • PCI DSS requirement: Protect all systems and networks from malicious software
  • PCI DSS requirement: Develop and maintain secure systems and software

4. Implement strong access control measures

  • PCI DSS requirement: Restrict access to system components and cardholder data by business need to know
  • PCI DSS requirement: Identify users and authenticate access to system components
  • PCI DSS requirement: Restrict physical access to cardholder data

5. Regularly monitor and test networks

  • PCI DSS requirement: Log and monitor all access to system components and cardholder data
  • PCI DSS requirement: Test security of systems and networks regularly

6. Maintain an information security policy

  • PCI DSS requirement: Support information security with organisational policies and programs

While these requirements are theoretically easy to understand, implementing them can be complex and typically requires a thorough understanding of data security practices. You can read the PCI DSS in its entirety by visiting the PCI DSS document library on the PCI Security Standards Council’s website.


How can companies stay PCI compliant?
Dedicated compliance personnel
One of the best ways companies can stay on top of PCI DSS requirements and remain compliant as regulations change is to assign an expert or team to oversee cardholder data security.

  • In-house compliance personnel - Larger companies may choose an employee or in-house team to manage PCI DSS compliance. These employees are commonly known as IT Security Managers, Compliance Officers, or Information Security Analysts. Having in-house expertise is particularly beneficial for big companies with large volumes of monthly card transactions and more stringent auditing criteria.
  • Outsourced compliance services - Many companies choose to outsource PCI DSS compliance to external organisations that specialise in monitoring and implementing payment security requirements. Working with a third-party compliance firm is particularly beneficial for smaller businesses that don’t have the resources for an in-house IT security team.

Routine auditing
Whether through an in-house team or a third-party firm, conducting regular PCI DSS audits is essential to maintaining compliance. Thorough auditing helps pinpoint potential weak points in the payment processing journey and allows companies to install safeguards before a breach occurs.

The type of audit required under PCI DSS depends on the merchant’s compliance level. Compliance level criteria are subject to change over time. They can vary depending on the card network involved, but levels are primarily determined by the volume of card transactions processed yearly.

  • Compliance level 1: Companies with more than 6 million annual card transactions
    • Audit requirements:
      • Annual on-site assessment by a Qualified Security Assessor (QSA)
      • Quarterly network scans
      • Penetration testing by a QSA or Internal Security Assessor (ISA)
  • Compliance level 2: Companies with 1-6 million annual card transactions
    • Audit requirements:
      • Annual self-assessment questionnaire (SAQ) or on-site assessment by a QSA (depending on the acquirer)
      • Quarterly network scans
      • Penetration testing by a QSA or ISA (if applicable)
  • Compliance level 3: Companies with 20,000-1 annual card transactions
    • Audit requirements:
      • Annual self-assessment questionnaire (SAQ)
      • Quarterly network scans.
  • Compliance level 4: Companies with fewer than 20,000 annual card transactions
    • Audit requirements:
      • Annual self-assessment questionnaire (SAQ)
      • Quarterly network scans

Vendor oversight
To maintain PCI DSS compliance, a company doesn’t just need to examine and safeguard their own data handling but also that of any third party that handles cardholder data on its behalf. A company is responsible for verifying the PCI DSS compliance of its payment gateway provider, cloud service provider, e-commerce platform, and any other organisation that transmits, processes, or stores its customers’ payment data. Despite often being overlooked, establishing a comprehensive vendor oversight process is essential to PCI DSS compliance.


Penetration testing
The only way to truly verify whether a company’s payment system stands up to the rigours of PCI DSS is to test it. Penetration testing, conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA), is mandatory for Level 1 companies and, depending on the merchant’s acquiring bank, some Level 2 companies as well.
 
Testing involves simulating real-world scenarios, such as phishing scams or malware attacks, to identify any security gaps. This type of testing is sometimes referred to as “ethical hacking,” as it replicates the behaviour of a hacker, but with the positive intention of preventing future security breaches.

Further reading: What is a penetration testing?

Failure to comply with PCI DSS
PCI DSS is a global standard, not a law. However, failing to comply with PCI DSS requirements can result in severe consequences for businesses. PCI DSS is enforced through contracts between merchants, their banks, and the payment processors merchants use to accept customer card payments. These contracts lay out strict penalties for PCI DSS non-compliance, the severity of which varies depending on the institution involved and the nature of the breach.


Fines
Businesses that fail to comply with PCI DSS regulations face large fines from card networks like Visa, Mastercard, and American Express. These fines can range from thousands to millions of dollars, depending on the card brand, the severity of the breach, the merchant’s compliance level, and the duration of non-compliance. Fines are often issued on a monthly basis until the compliance issue is resolved.


Withdrawal of card processing services
Companies that experience large-scale security breaches or fail to correct compliance issues in a timely manner can face having their card processing services suspended or even withdrawn completely. Losing the ability to accept card payments can have a drastic and devastating impact on business.


GDPR penalties
Although PCI DSS is not a law, businesses can still encounter legal penalties for non-compliance. One example of this is the United Kingdom and European Union’s General Data Protection Regulation (GDPR), under which companies face significant consequences of up to £17.5 million (€20 million) or 4% of turnover (whichever figure is higher) for data breaches.


Fraud, lawsuits, and reputation damage
In addition to the financial and operational penalties listed above, failure to comply with PCI DSS can lead to increased data theft and fraud experienced by customers. This can lead to expensive lawsuits from customers and a general loss of trust in the brand, resulting in fewer sales and a downturn in revenue.

FAQs

What type of businesses need to comply with PCI DSS?
Any company or organisation that transmits, processes, or stores cardholder data (CHD) and sensitive authentication data (SAD) must comply with PCI DSS requirements. This includes both merchants that accept in-person card payments and online payments.

Cardholder data refers to the cardholder's name, primary account number (PAN), expiration date, and service code. Sensitive authentication data refers to magnetic stripe or chip data, card verification code, and personal identification number (PIN).


How is PCI DSS enforced?
PCI DSS is enforced by the card networks (e.g. Mastercard, Visa, American Express, etc.), which impose fines and penalties for non-compliance. When a merchant enters into a contract with a card company in order to accept card payments, they will typically agree to remain PCI DSS compliant. Should the company breach PCI DSS requirements, it may be subject to thousands or tens of thousands in monthly fines.

The severity of the penalty will depend on the nature of the breach and how long the company has remained non-compliant. Egregious PCI compliance failures can lead to the complete withdrawal of card payment services, eliminating a merchant’s ability to accept customer card payments.


How can I tell if my business is PCI DSS compliant?
Although PCI DSS's objectives are straightforward, implementing and monitoring data compliance can be much more complex and technical. For this reason, many merchants either employ a dedicated compliance officer or hire an external compliance firm to oversee PCI DSS requirements.
 
An audit is The main way a company can determine whether it’s PCI DSS compliant. Audits are a requirement of PCI DSS, with the type of audit dependent on the company’s “compliance level.” Companies that process very high volumes of card transactions per year may be subject to an on-site audit, either by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). Companies with lower annual transaction volumes are required to complete a self-assessment questionnaire (SAQ).


What are some of the most common PCI compliance violations?

  • Without a dedicated person or team overseeing PCI DSS, companies can quickly fall out of step with the latest PCI requirements. This negligence leads to compliance violations, some of the most common being:
  • Improper intake and storage of cardholder data (e.g., customer card details in paperwork stored on-site or accepted via an unencrypted web form)
  • Failure to install security patches and update software (e.g., POS terminals running on an outdated operating system)
  • Weak customer and employee account passwords
  • Failing to validate the PCI compliance of third-party vendors

In addition to the actual compliance violations, many companies also fail to keep up with the paperwork, testing, and auditing required annually by PCI DSS. 


Where can I learn more about PCI DSS compliance?
The PCI Standards Security Council’s website (pcisecuritystandards.org) is the most up-to-date and thorough resource for all components of PCI DSS compliance. It includes:

You might also be interested in...

What is a merchant ID and how to get one?
How to set up end-to-end payments
10 tips to enhance your online payment experience