What is PCI?
If you are a small business owner or anyone trying to sell anything online or in person, you may have heard the term PCI Compliance or PCI DSS thrown around. If that’s you, Welcome! You’re in the right place. This article is going to outline the basics of PCI, what it is, and how it may affect you.
To start, let’s get some basics out of the way. PCI stands for Payment Card Industry and DSS stands for Data Security Standard. The PCI SSC is the governing body that regulates these security standards and is formally known as the Payment Card Industry Security Standard Council. While these standards often get confused as laws, they are actually just standards are required by the major credit card companies that you must adhere to if you want to process payments utilizing their cards. Now that we’ve established some terms here let’s take a look at how this all came to be.
In 2006, American Express, Discover, Mastercard, Visa, and JCB International, a major Japan-based credit card company, came together to establish the Payment Card Industry Security Standard Council. With the introduction of the internet and online shopping came a major increase in CNP transactions or “Card Not Present” meaning the physical credit card was not in fact swiped at a cashier in a physical store. And while the introduction of the EMV chip (Europay Mastercard Visa) decreased the effectiveness of counterfeit credit cards, the majority of credit card fraud was happening via CNP transactions.
In fact, a credit card number is one of the most easily accessible pieces of PII on the internet. Credit card numbers can sell online for less than $1 USD, making credit card fraud one of the most easily accessible forms of fraud today. Major credit card companies saw this back in 2006 and decided to create a centralized governing body to both establish and enforce a set of standards and requirements to process payments via their credit cards. You may be asking yourself, so what? These aren’t laws, why would I concern myself with following these random counsels standards? Well, let’s name a few.
For starters, the credit card companies themselves enforce the fines associated with not obtaining these standards, so if VISA gets wind of your company that upholding the PCI standards you could be anywhere from $5,000 to $100,000 a month until compliance is obtained. So if your company can eat a sunk cost of $1.2 million dollars USD per year, go for it, but noncompliance to these standards can have some serious consequences to your businesses bottom line. The absolute worst case scenario is that one of these organizations blacklists your business and no longer allows customers to use their credit card to make purchases from your business. Imagine a customer comes to your website or store and cannot use their VISA or Mastercard to make a purchase. This would raise major red flags as to the legitimacy of your business and could definitely result in lost business. Now that we’ve established you probably want to take a look at your businesses PCI compliance requirements let’s take a look at what PCI Compliance might look like for your business.
What is PCI Compliance
Under the Security Standards Council, there are four levels of standards for PCI Compliance as outlined in the chart below:
As seen in the table, there are four levels of PCI DSS, Level 4 being the least stringent and Level 1 being the most. It’s important to note here that these categories are separated per transaction not revenue. For example. Level 3 requirements start for companies that do more than 20,000 individual transactions per year. That means a company that processes a credit card payment more than 20,000 times in a calendar year would be required to follow the Level 3 requirements.
A common denominator for Levels 2-4 is the Annual Self Assessment Questionnaire (SAQ) which is very similar to the annual Risk Assessments of HIPAA. Essentially it is an internal tool to be used to assess your current practices and ensure all the levels of PCI compliance are being met. We also see a network scan strongly recommended for Level 4 and required for Level 2-3. This is to ensure network security and mitigate data bleed by periodically checking throughout the year for any weak points.
As we progress through the Levels, the verification method ultimately transitions from more of a self-audit based system to third party based authentication. This adds a level of authority to the higher level security rules and creates more checks and balances for the larger players within the PCI space.
PCI DSS Requirements
In addition to these four levels of designation within the PCI compliance structure there are 12 mains steps to compliance that every level of organizations is required to abide by. These 12 requirements fall under 6 main goals outlined by the Payment Card Industry Security Standard Council that deliver a comprehensive payment card security standard. The table below outlines each goal as well as the corresponding steps that fall under each goal:
As seen above, their entire goal of PCI compliance is to create an infrastructure that collectively mitigates fraud for both the customer and the merchant, fortifies security, and maintains information security to reduce loss as a whole. This creates a better user experience for the customer as well as reduces sunk costs due to credit card fraud for the payment card companies.
While at first glance, a twelve-step checklist toward compliance might seem overwhelming for someone who simply wants to be able to accept credit card transactions, by breaking them down into 6 goals, it simplifies these steps into much more achievable goals to tackle. Similarly to other forms of compliance legislation, many steps are kept vague enough to accommodate all types of businesses that might have lower revenue numbers and less means to enact expensive security measures.
A few notable steps within PCI compliance are the multiple levels of technological security required on all levels. PCI compliance requires a firewall, data encryption, tracking and monitoring, as well as regular diagnostics and systems testing. The multilateral fortification system creates fail-safe after fail-safe to ensure that even in the event of a singular system failure, significant loss can still be prevented by another safeguard that has been established.
Ultimately, the PCI DSS Compliance measures are put in place to protect everyone involved from the consumer to the merchant, and obviously the payment card providers themselves. Higher levels of security are inevitable as online shopping replaces in-person shopping. As we continue to press onward in the digital age that we find ourselves, higher levels of security are an inevitable part of the convenience that comes with automated online payment processing.