Payment fraud is a global business. Its impact reaches far and wide, often devastating to unsuspecting victims. In this guide, we will explain how you can leverage PCI compliance to improve the online security of your business and reduce the chance of cardholder fraud.
We will explain what PCI compliance means, how to get a PCI compliance certificate, what the PCI compliance requirements are, how much PCI compliance costs and how to stay PCI compliant.
What is PCI compliance?
The Payments Card Industry Security Standards Council (PCI SSC) are an established and respected global forum of payments industry stakeholders. They created the PCI Data Security Standard (PCI DSS) to combat online fraud. If your organisation accepts, transmits or stores card data, then the PCI DSS applies to you, and you must hold a PCI compliance certificate to prove that you comply with it.
What are the different PCI Compliance levels?
PCI compliance certificates are issued annually. What you must do to get one depends upon the level of compliance you are being asked to conform to. The definitions of PCI levels vary by merchant or payment service provider, so talk to yours about this.
To give you an idea what’s involved, we have listed the PCI compliance levels for Visa:
PCI Level 1
These are for large companies processing more than 6 million payments annually. This level of compliance is expensive as it requires significant IT hardware and software, skilled staff, training, and audit resources. PCI Level 1 can also include businesses with a significant data breach, leading to compromised account information.
As you’d expect, the validation requirements for PCI Level 1 businesses are significant, so they are likely to have specialist resources to support them.
To get a PCI compliance certificate, a PCI Level 1 organisation will need to supply an:
Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). An internal auditor may do this role.
Annual self-assessment questionnaire (SAQ)
Quarterly network scans from a PCI-approved Approved Scanning Vendor (ASV).
Attestation of Compliance Form.
PCI Level 2
PCI Level 2 applies to companies handling a significant number of payments between 1 million and 6 million payments a year.
To get a PCI compliance certificate, a PCI Level 2 organisation must supply everything that a PCI Level 1 does, except a ROC.
PCI Level 3
If a business takes between 20,000 and 1 million e-commerce payments a year, they will fall under PCI Level 3 compliance. To get a PCI compliance certificate, a PCI Level 3 organisation must supply similar information to their PCI Level 2 colleagues, namely an annual SAQ, quarterly network scan by ASV and an Attestation of Compliance Form.
PCI Level 4
The majority of businesses fall within PCI Level 4. It’s for merchants processing less than 20,000 e-commerce transactions yearly or up to 1 million transactions.
If you fall within this category, talk to your merchant or payment service provider because they will set your compliance validation requirements and advise what you need to do to get a PCI compliance certificate. They may recommend an annual SAQ and a quarterly network scan by an ASV.
PCI compliance requirements
Merchants are asked to sign an “Attestation of Compliance Form” to confirm that they are PCI compliant. The form contains 12 PCI compliance requirements, built around six themes:
Securing network and systems.
Protecting stored account data.
Vulnerability management.
Access Control.
Monitoring and testing networks.
Maintaining an information security policy.
These are the 12 PCI compliance requirements that every merchant must follow:
- Install and maintain a firewall to protect cardholder data within your network.
- Change vendor-supplied default passwords and security settings.
- Protect all stored cardholder data, ensuring you have policies to limit the data you store.
- Use data encryption when transmitting cardholder data across open, public networks.
- Use appropriate anti-virus software. Document periodic scans. Use the latest software update.
- Document and maintain security systems and processes.
- Restrict access to cardholder data on a ‘need to know’ basis.
- Assign a unique user ID to everyone with computer access and implement a process for authenticating each user.
- Restrict physical access to cardholder data. This could include using cameras or other hardware and software to monitor who is accessing sensitive data.
- Log and monitor all access to system networks and cardholder data.
- Test security systems and processes regularly. Perform quarterly vulnerability scans.
- Document and maintain an information security policy for your business. Review and update this policy at least annually.
The importance of staying PCI-compliant
You will probably have noticed that regardless of the level a merchant has been classed, they are all responsible for performing regular security system checks.
These may include performing quarterly network scans, completing annual self-assessment questionnaires, and regularly monitoring and testing security networks. There is also an emphasis on maintaining an information security policy. For the largest merchants, there is a requirement for a Qualified Security Assessor (QSA) to complete an Annual Report on Compliance (ROC), which is a complex set of documents and no small undertaking.
The bad news is that this can be expensive. The good news, however, is that many merchant or payment service providers can handle your PCI requirements for you. And some won’t charge you for this service if you choose to take payments through them.
How much does it cost to get PCI compliance?
The cost of PCI compliance varies by merchant level. If you operate a small business, the fee you will pay for PCI compliance could range from nothing to £60 a year.
Nothing? Yes, that’s right. Some merchant or payment service providers will handle your PCI compliance for no extra fee. Those that do charge, normally hover in the £2.50 - £5 a month mark (as of September 2023) and so you will end up paying £30 - £60 for PCI compliance if you are a small business.
If you are a larger business processing 20,000 or more payments a year, then you can expect to pay a lot more to achieve PCI compliance. Talk to your merchant or payment service provider to understand what PCI level they are placing you at, and what support they can offer you.
The cost of non-compliance can be £3,000 or more. Whilst it is your merchant or payment service provider and not you that will be fined, they merchant bank will typically pass this fine down to you along with any legal fees that they have incurred. And if you are at risk of non-compliance, then you are unlikely to find any merchant or payment service provider willing to serve you.
Tips for becoming PCI compliant
As we have already said, if your organisation accepts any kind of card payment, then you must hold a PCI compliance certificate. And this requirement comes on an annual basis. Given the technical nature of data security, completing the SAQ can be especially challenging for small-business owners who must assess and address all issues before submitting it. So here are a few tips to make the process a little easier:
1, Learn about keeping data secure. Use resources on the PCI Security Standards Council website as they have a wide number of educational resources available.
2. Understand your business. Find out which PCI level you fall under and which PCI assessment you must adopt.
3. Talk to your merchant or payment service provider:
- What compliance requirements are in your contract?
- Will they cover your PCI requirements and if so, how much will that cost?
- If they won’t cover you, can they recommend suitable compliance consultants or services to help you? This may include an approved scanning vendor or someone to help with your assessment.
4. Follow good data hygiene:
- Use strong passwords.
- Keep software updated. Replace older point-of-sale terminals because newer cloud-based systems are built with strong encryption, and often receive automatic updates.
- Limit the data that you store. It is unlikely that you will need to store physical copies of receipts.
- Don’t click on suspicious links.
- Use payment hardware and software (such as card readers and payment software) that is validated by the PCI SSC. Not only are these likely to be more secure, but they should also make PCI compliance easier because they tend to be low maintenance and often include PCI compliance support.
- Continually educate your employees about your PCI DSS obligations and why protecting cardholder data is important to your customers and your business.
5. Take the paperwork seriously. Self-assessment questionnaires are technical in nature and can be frustrating. But they are an important part of the PCI compliance certificate process.
Key takeaways:
The payments card industry (PCI) created the PCI Data Security Standard (PCI DSS) to combat online fraud.
There are the 12 PCI compliance requirements, built around six themes that every merchant must follow: securing network and systems, protecting stored account data, vulnerability management, access Control, monitoring and testing networks and maintaining an information security policy.
Any business that accepts card payments must hold a PCI compliance certificate.
What you must do to get a PCI compliance certificate depends upon a number of factors including the volume of card transactions that your business handles a year.
Talk to your merchant or payment service provider to understand what PCI compliance requirements they expect you to deliver, how much this could cost and how they can support you.
Follow good data hygiene. Use strong passwords. Keep software updated. Limit the data that you store. Use payment hardware and software that is validated by the PCI SSC and update it regularly.
Take self-assessment questionnaires seriously. They are technical in nature and can be frustrating to complete, but they are an important part of leveraging PCI Compliance to improve your business’s online security.
FAQs
Q: Who does the PCI DSS apply to?
A: The payments card industry Data Security Standard (PCI DSS) applies to any business that accepts, transmits, or stores card data.
Q: What is an Annual self-assessment questionnaire (SAQ)?
A: The SAQ is an annual assessment that every merchant must complete. Its purpose is to assess how secure your business's systems and practices are. Most small businesses do this themselves without external help, but there are specialist consultants who can help support you.
Q: What is an Annual Report on Compliance (ROC)?
A: An Annual Report on Compliance is completed by very large companies processing more than, say, 6 million payments a year. The ROC template can be downloaded from the PCI DSS website. It includes several predefined reports that provide information to help PCI Level 1 organisations ensure that their network complies with the PCI DSS. Completing the report can be cumbersome, and an internal auditor may do this role.
Q: What is a quarterly network scan?
A: A quarterly network scan is an internal network scans designed to identify and fix any vulnerabilities in a merchant’s network and operating systems. It is a PCI DSS requirement that these scans are performed at least every three months.
Q: What is an Attestation of Compliance Form?
A: An Attestation of Compliance Form is a form that can be downloaded from the PCI DSS resource centre. Every merchant must complete this form annually, to declare that they comply with the PCI DSS requirements to securely handling cardholder data.
Q: Is PCI compliance required by law?
A: No, merchants are not required to comply with the PCI by law. They are however, bound by the contract that they have signed with their merchant or payment service provider and the card networks, and these will bind the merchant to PCI compliance. In this way, the payments card industry (PCI) is policing cardholder and data security, through the PCI Security Standards Council (PCI SSC) and the Payments Card Industry Data Security Standard (PCI DSS).
Q: Do small merchants with low transaction volumes need to comply with PCI DSS?
A: Yes. The PCI Data Security Standard (DSS) is intended for any business that accepts card payments; however, some merchant or payment service providers will handle your PCI compliance for no extra fee. Those that do charge, normally charge around £2.50 - £5 a month (as of September 2023) and so you could end up paying around £30 - £60 a year for PCI compliance if you are a small business.
Q: What is PCI DSS 4.0?
A: The PCI Security Standards Council (PCI SSC) rolled out version 4.0 of the PCI Data Security Standard (DSS) on March 31, 2022. It replaced version 3.2.1 published in 2018, however Version 3.2.1 will remain active until March 2024 so that everyone involved will have sufficient time to adapt to the major changes in 4.0.
Stay in English