What is PCI compliance?
September 18, 2023 · 13 min read
September 18, 2023 · 13 min read
PCI compliance refers to implementing and maintaining the data security requirements set out by the Payment Card Industry Data Security Standard (PCI DSS). This set of rules is specifically designed to protect sensitive cardholder data when processing card transactions.
PCI DSS is managed and overseen by the PCI Standards Security Council (PCI SSC), a body made up of five of the world’s largest payment processing brands: Mastercard, Visa, American Express, Discover, and JCB International.
PCI compliance, at a glance:
*Further reading: PSD3: what is it and what is the difference with PSD2?
Key components of PCI compliance
To whom does PCI compliance apply?
PCI DSS applies to all companies and organisations that handle cardholder data and/or other sensitive information influencing cardholder data security. This includes:
Types of data applicable
Any entity that processes transmits, or stores the following information is subject to the requirements set out in the PCI DSS:
Objectives and requirements
The PCI DSS is continually assessed and updated as technology advances and cardholder behaviour changes. As explained in the PCI DSS v4 Quick Reference Guide (PDF), PCI DSS has six key goals. For each goal, PCI DSS specifies what’s required in order to achieve that goal.
The goals and requirements are as follows:
1. Build and maintain a secure network and systems
2. Protect account data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
While these requirements are theoretically easy to understand, implementing them can be complex and typically requires a thorough understanding of data security practices. You can read the PCI DSS in its entirety by visiting the PCI DSS document library on the PCI Security Standards Council’s website.
How can companies stay PCI compliant?
Dedicated compliance personnel
One of the best ways companies can stay on top of PCI DSS requirements and remain compliant as regulations change is to assign an expert or team to oversee cardholder data security.
Whether through an in-house team or a third-party firm, conducting regular PCI DSS audits is essential to maintaining compliance. Thorough auditing helps pinpoint potential weak points in the payment processing journey and allows companies to install safeguards before a breach occurs.
The type of audit required under PCI DSS depends on the merchant’s compliance level. Compliance level criteria are subject to change over time. They can vary depending on the card network involved, but levels are primarily determined by the volume of card transactions processed yearly.
To maintain PCI DSS compliance, a company doesn’t just need to examine and safeguard their own data handling but also that of any third party that handles cardholder data on its behalf. A company is responsible for verifying the PCI DSS compliance of its payment gateway provider, cloud service provider, e-commerce platform, and any other organisation that transmits, processes, or stores its customers’ payment data. Despite often being overlooked, establishing a comprehensive vendor oversight process is essential to PCI DSS compliance.
The only way to truly verify whether a company’s payment system stands up to the rigours of PCI DSS is to test it. Penetration testing, conducted by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA), is mandatory for Level 1 companies and, depending on the merchant’s acquiring bank, some Level 2 companies as well.
Testing involves simulating real-world scenarios, such as phishing scams or malware attacks, to identify any security gaps. This type of testing is sometimes referred to as “ethical hacking,” as it replicates the behaviour of a hacker, but with the positive intention of preventing future security breaches.
Failure to comply with PCI DSS
PCI DSS is a global standard, not a law. However, failing to comply with PCI DSS requirements can result in severe consequences for businesses. PCI DSS is enforced through contracts between merchants, their banks, and the payment processors merchants use to accept customer card payments. These contracts lay out strict penalties for PCI DSS non-compliance, the severity of which varies depending on the institution involved and the nature of the breach.
Businesses that fail to comply with PCI DSS regulations face large fines from card networks like Visa, Mastercard, and American Express. These fines can range from thousands to millions of dollars, depending on the card brand, the severity of the breach, the merchant’s compliance level, and the duration of non-compliance. Fines are often issued on a monthly basis until the compliance issue is resolved.
Withdrawal of card processing services
Companies that experience large-scale security breaches or fail to correct compliance issues in a timely manner can face having their card processing services suspended or even withdrawn completely. Losing the ability to accept card payments can have a drastic and devastating impact on business.
Although PCI DSS is not a law, businesses can still encounter legal penalties for non-compliance. One example of this is the United Kingdom and European Union’s General Data Protection Regulation (GDPR), under which companies face significant consequences of up to £17.5 million (€20 million) or 4% of turnover (whichever figure is higher) for data breaches.
Fraud, lawsuits, and reputation damage
In addition to the financial and operational penalties listed above, failure to comply with PCI DSS can lead to increased data theft and fraud experienced by customers. This can lead to expensive lawsuits from customers and a general loss of trust in the brand, resulting in fewer sales and a downturn in revenue.
What type of businesses need to comply with PCI DSS?
Any company or organisation that transmits, processes, or stores cardholder data (CHD) and sensitive authentication data (SAD) must comply with PCI DSS requirements. This includes both merchants that accept in-person card payments and online payments.
Cardholder data refers to the cardholder's name, primary account number (PAN), expiration date, and service code. Sensitive authentication data refers to magnetic stripe or chip data, card verification code, and personal identification number (PIN).
How is PCI DSS enforced?
PCI DSS is enforced by the card networks (e.g. Mastercard, Visa, American Express, etc.), which impose fines and penalties for non-compliance. When a merchant enters into a contract with a card company in order to accept card payments, they will typically agree to remain PCI DSS compliant. Should the company breach PCI DSS requirements, it may be subject to thousands or tens of thousands in monthly fines.
The severity of the penalty will depend on the nature of the breach and how long the company has remained non-compliant. Egregious PCI compliance failures can lead to the complete withdrawal of card payment services, eliminating a merchant’s ability to accept customer card payments.
How can I tell if my business is PCI DSS compliant?
Although PCI DSS's objectives are straightforward, implementing and monitoring data compliance can be much more complex and technical. For this reason, many merchants either employ a dedicated compliance officer or hire an external compliance firm to oversee PCI DSS requirements.
An audit is The main way a company can determine whether it’s PCI DSS compliant. Audits are a requirement of PCI DSS, with the type of audit dependent on the company’s “compliance level.” Companies that process very high volumes of card transactions per year may be subject to an on-site audit, either by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). Companies with lower annual transaction volumes are required to complete a self-assessment questionnaire (SAQ).
What are some of the most common PCI compliance violations?
In addition to the actual compliance violations, many companies also fail to keep up with the paperwork, testing, and auditing required annually by PCI DSS.
Where can I learn more about PCI DSS compliance?
The PCI Standards Security Council’s website (pcisecuritystandards.org) is the most up-to-date and thorough resource for all components of PCI DSS compliance. It includes: