Is PCI Compliance required
Online merchants often wonder is PCI compliance required? In this article, we'll explain why it is such a vital consideration for every online (and offline) merchant.
Is PCI compliance required for your business?
Online shopping offers numerous advantages to consumers such as time-saving, convenience, and lower prices compared to in-store purchases. Despite the benefits, online shopping comes with a high risk of a data breach, and in particular payment card data theft. This requires online merchants to adopt a data protection strategy supported by advanced technological systems and data security features, to offer their clientele a safe transaction process. So is PCI compliance required for you as a merchant? Following we will outline how to become PCI compliant and why we believe it is essential for your business.
Understanding PCI compliance
What is PCI compliance? PCI DSS stands for Payment Card Industry Data Security Standards and refers to a set of requirements that must be followed by companies which store, process, or transmit credit card data. An online merchant has the option to either store the cardholder data on to their servers or partner with a PCI compliant payment provider which will cover this function. The less involvement a merchant has with card data, the less strict the requirements are in terms of PCI compliance.
Who needs to be PCI compliant
Any merchant who accepts credit card payments is required to be PCI compliant, regardless of the size of the company and the volume of transactions. However, the volume of transactions that the merchant processes per year will define the compliance level for the particular business. Specifically, there are four levels of compliance – level 1, level 2, level 3, and level 4.
Merchants who process a small number of transactions annually will probably fall in the level 4 category, whereas big corporations who process millions per year in credit card transactions will fall in level 1. Based on the way that merchants are processing, storing, or transmitting cardholder data, they must fill in designated Self-Assessment Questionnaires (SAQ) or undergo an audit for their systems – a process usually done for a level 1 compliant business - performed by a Qualified Security Assessor (QSA).
The difficulties that arise for those who are not PCI compliant
As a merchant, you may wonder ‘Do I need to be PCI compliant?’ and what are the disadvantages for companies who are not compliant? Merchants who do not meet the PCI DSS requirements are faced with various threats to their business. Most importantly, a data breach will result in huge fines for the company which are calculated based on a number of factors including; how many PCI DSS requirements were violated, the volume of transactions, and how long the merchant remains incompliant.
A major consequence for companies, who do not take proactive measures to prevent data breaches, is a high risk of losing their right of processing card payments which can paralyze an online business rendering it unable to make any sales. Apart from the negative financial outcomes, a data breach will influence the reputation of a company and drive consumers away. Therefore the answers to the questions ‘Is PCI compliance required’ and ‘who has to be PCI compliant’ are pretty clear. PCI compliance is definitely required for every merchant who supports debit and credit card payments.
The PCI DSS explained
PCI DSS standards were founded by the main card brands of Visa, Mastercard, American Express, Discover, and JCB back in 2004. The process on how to become PCI compliant is demanding and time-consuming. In greater detail:
- The first step in the PCI compliance journey is to identify the compliance level that your business belongs to. The merchant can consult the acquiring bank of the company on what forms they need to submit to meet the PCI compliance requirements.
- The second step is to complete a self-assessment questionnaire (SAQ), a guidebook that provides support in acknowledging the compliance level of a business. The PCI Security Standards Council (PCI SCC) provides a variety of guidebooks based on different business types, to guide merchants on how to identify the payment security weaknesses of their business. Based on the requirements asked on a SAQ, business owners will be able to improve the weak security points of their store and retake a self-assessment questionnaire.
- Next, merchants should look for a payment service provider who has to be PCI compliant and offers payment tokenization services to store customers’ card data. After applying any necessary security changes and submitting a SAQ, you should obtain a formal attestation of compliance (AOC), which verifies that your business is operating in accordance to PCI standards. A security assessor is responsible for reviewing your work and creating a report to legalize your findings.
- Lastly, merchants need to submit the self-assessment questionnaire (SAQ), the attestation of compliance (AOC) and any other documents needed, to the credit card companies and banks that the business works with to complete the journey of becoming PCI compliant.
PCI compliance is a continuous process which means that businesses will not go through the procedures of complying just once. Rather, they need to operate based on PCI requirements to maintain their compliance on an ongoing basis.
So is PCI compliance required even for merchants who process a low volume of card transactions? Regardless of the transactions volume, all merchants should adhere to the 12 data security standards (DSS) defined by the Security Standards Council (SSC):
- Firewall configuration installment and maintenance for the protection of payment card data.
- Use of system passwords and safety parameters that are not provided as defaults from vendors.
- Protection of stored cardholder information.
- Transmission encryption of cardholder data when used in public networks.
- Utilization of up-to-date anti-virus software programs to protect systems from malware.
- Development and retention of secure systems.
- Limitation in accessing cardholder data by unauthorized personnel.
- Assignment of a unique identification code for each user who accesses the system to identify and authenticate their identity.
- Limited physical access to data or systems that store cardholder data.
- Tracking and monitoring the activities of users who access the network resources and the data of cardholders.
- Testing security systems and procedures frequently.
- Maintain an information security policy which will be updated reviewed and updated yearly.
In order for a business to become PCI compliant, the above requirements should be followed. The business type and the volume of credit card transactions processed by the company will then determine the subsequent set of requirements that are necessary for PCI compliance purposes.
The major benefits of being PCI compliant
It’s crucial that an online business protects the card data used in the transaction process. Where a brick and mortar business may invest in in-store security measures to protect the state of their business, similarly an online business needs to ensure digital transformation is also protected in much the same way. PCI Data Security Standards are a great guideline for protecting your business’ card payments.
The various benefits of being PCI compliant include:
- Security of cardholder data – a merchant who complies with the PCI DSS is highly protected against a data breach and can keep the cardholder data secure compared to a non PCI DSS compliant merchant.
- Enhanced client trust and customer confidence – being PCI compliant means that your clients will display increased trust in your brand. Companies that have a low level of data breaches are those that customers are likely to be confident when providing their details and become loyal too.
- Protection against financial catastrophe – by covering yourself and making the effort to avoid data breaches you’ll protect your business from potential lawsuits and fines. The process of becoming PCI compliant is costly, but the cost of not complying with payment security standards is definitely greater.
- Reduced data breach costs – the costs of data breaches can be excessive. Businesses are required to pay fines when a data breach occurs, but a PCI compliant merchant, who uses firewalls, encryption features, etc., minimizes the possibility of experiencing a data breach.
The need to use a payment processor that is PCI compliant
If you genuinely care about the safety of the credit card data that your customers utilize to make a purchase on your website, then PCI compliance is important. All parties involved in processing credit card transactions need to comply with PCI DSS. You payment processor and acquirer must also be PCI compliant because these data will be transmitted through their systems.
Powercash21, as a regulated acquirer, first ensures that the systems it utilizes in the payment processing chain adhere to the highest PCI DSS certification standards. Both our gateway and processing systems are PCI DSS Level I certified.
Merchants can integrate to Powercash21’s gateway both through direct integration, a hosted payment page or a redirect to the Powercash21 payment page. Merchants can rely on Powercash21 for the management of all payment card data by using the hosted payment page or redirect options. In this way, the PCI compliance scope of the merchant gets reduced to validating their compliance by completing the relevant Self-Assessment Questionnaires. With direct integration, whereby the merchant would save credit card information on their servers, the merchant would need to assess and validate their PCI compliance and provide proof of this on a regular basis to their acquirer. This would demand a much costlier process in terms of man-hours and expenses. In summary, merchants can rely on Powercash21 to limit the scope and burden as well as to limit the expense of their PCI compliance.
Whether a merchant decides to save credit card information on their servers or defer that responsibility to their acquirer, Powercash21 ensures that the proper guidance is provided to maintain the adherence of its merchants to PCI DSS standards. Read more about Powercash 21’s PCI compliance for their payment gateway.