What Is PCI Compliance and How To Tell If Companies Have It?

Over the past two or so decades, e-commerce has had a transformative effect on business. In the past, attaining a global presence was a challenge even for large corporations as it required significant investments.

Thanks to e-commerce, even small businesses and startups can transcend geographical borders. With an e-commerce platform, a small business can reach markets across the globe. Clients can order goods online and pay via credit cards and wait for their goods to be delivered to them.

However, along with the benefits of e-commerce also came some challenges. Identity theft and credit card fraud are the main challenges that have come with this technology. Credit card fraud occurs when unauthorized people gain access to your credit card information. When it happens, the fraudster can make purchases and then have them charged on the victim’s card.

In 2018 alone, over $ 24 billion was lost globally as a result of payment card fraud. Out of that figure, 38.6% of the losses were reported in the US. As a result, consumers and organizations are becoming more and more cautious about credit card fraud.

The Payment Card Industry Data Security Standard (PCI DSS)

Due to increased credit card fraud via the internet, Visa developed a cardholder information security program in 1999. In the same vein, JCB, Mastercard, Discover, and American express also developed their security programs.

However, in 2004, these five companies came together to form the Payment Card Industry Data Security Standard (PCI DSS). This was a unified security program for the payments card sector. 

To provide all-round protection to consumers, they incorporated financial institutions, processor companies, and other institutions that handle consumer credit card information.

The primary objectives of the PCI DSS include:

• Preventing unauthorized access to consumer information
• Prevent the theft of funds from user accounts
• Ensure businesses do not face non-compliance fines

Though there is no law concerning PCI DSS, it is an industry requirement. Any organization that processes credit card payments is required to be PCI compliant. To provide oversight for PCI DSS, Visa, and the other credit card companies formed the PCI Security Standards Council (PCI SSC).

However, the council does not enforce compliance or determine fines for non-compliance. Its mandate is to maintain, improve, and distribute information about compliance standards.

PCI Compliance Levels and Requirements

Organizations require different levels of compliance and are subject to varying requirements. Whether a company is a service provider or a merchant, and the amount of risk they face, determines the category they fall under.

For merchants, there are four PCI DSS compliance levels and other validation requirements. There are only two levels for service providers.

Your company will fall into one of the levels depending on:

• The number of credit card transactions you process annually
• The type of credit cards you accept

Also, any data breach or security incidences that may have compromised consumer credit card information will affect the level you’re in.

Level 1 carries the most security requirements. Merchants that fall under this category process between 1 and 6 million or more credit card transactions. Whereas merchants on other levels can forgo audits and self-asses, level one merchants must pass audits every year.

These audits must be carried out by a Qualified Security Assessor (QSA) or an Internal Security Assessor.

The PCI DSS has six main goals. They are:

• Building and maintaining secure networks.
• Safeguarding cardholder data.
• Developing a vulnerability management program.
• Ensuring there are strong access control measures.
• Monitoring and conducting regular tests on networks.
• Setting and maintaining policies regarding information security.

Under these goals, lie 12 requirements that contain 281 directives. The goals apply to all merchants and service providers. However, the directives organizations are subject to vary from one to the next, depending on their particular situation.

How to Verify That a Company Is PCI Compliant?

Organizations that are subject to PCI DSS compliance must ensure that they observe all the set-out requirements for their level. However, they must also ensure that any third-party service providers they work with are also compliant. This may sound straightforward, but it has proven to be a major challenge for businesses.

When it comes to checking PCI compliance, only the Attestation of Compliance (AOC) can prove that an organization is compliant.  The PCI SSC defines the AOC as “a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance.” 

The AOC must:

• Only be provided on the AOC form provided by the PCI Security Standards Council
• Highlight the level and services the provider offers
• The specific set of requirements they attest to be compliant – or non-compliant- with
• The date of the assessment.

All non-authorized documentation, including scanned documents and a certificate of AOC completion, are not acceptable as proof of compliance. Therefore, you should only work with third-party service providers that are willing to show their Attestation of Compliance.

How to Maintain PCI Compliance?

With PCI DSS, the challenge is not to become compliant but to maintain compliance. For most organizations, the process is over once compliance is achieved. However, this does not necessarily ensure consumer credit card information is safe.

It is vital that your organization views PCI compliance as a continuous process rather than an event. This will ensure your customer’s security is not compromised while safeguarding you from non-compliance fines.

To remain compliant, organizations should:

• Incorporate PCI DSS into the day to day security strategy.
• Have a member of your team who is responsible for ensuring compliance at all times.
• Embed risk management and security prioritization into the corporate culture.
• Conduct regular PCI development training with companies like HackEDU for team members tasked to keeping everything in order.
• Conduct regular vulnerability scans and penetration tests.
• Ensure controls are operational at all times.
• Ensure third-party service providers also remain compliant.
• Monitor emerging threats and ensure your security strategy is updated accordingly.
• Maintain an audit trail.

PCI Compliance Software

Adhering to the requirements of PCI DSS can be time-consuming. It is also challenging as it involves continuous testing of controls around your cardholder data environment (CDE), tracking vendor compliance, and keeping up to date with new PCI standards.

Fortunately, there is software that can perform these tasks for you, thus simplifying PCI compliance. With such solutions, you can also audit your system to ensure everything is as it should be. 

Cost of Non-Compliance

Failure to comply with PCI carries significant consequences for any business. In addition to the monthly fines, which can be as high as $ 100,000, you will also incur the following costs.

• Legal fees for the lawsuits
• Charges applicable for a forensic investigation
• Costs involved with addressing the issue
• Banks and processors will charge you higher rates
• Cost of Federal Trade Commission audit
• Customer compensation costs such as card reissuance, credit monitoring, and identity theft insurance
• Cancellation of your credit card acceptance privileges

Any company that processes, stores, or transmits credit card information must comply with the PCI DSS. Failure to do so comes with serious ramifications.

Bottom Line

Undoubtedly, credit card fraud poses a great risk to consumers and companies. However, by adopting the right security approach and ensuring continuous Payment Card Industry Data Security Standard compliance, you can protect your company and consumers.