PCI compliance is a set of rules for the security of credit card transactions. It’s split into 12 basic requirements grouped into 6 categories to help businesses and payment processors create and maintain a reliable, secure processing system.
Every business that takes credit cards is required to comply with PCI standards, no matter how few credit card transactions it processes.
- What is PCI?
- Is PCI Compliance required?
- Processor Approaches to PCI Validation
- Visa Technology Innovation Program (TIP) for Validation Exemption
- Costs Involved in PCI Compliance
What is PCI?
PCI stands for “Payment Card Industry,” and it’s the first part of two-part acronym that refers to security guidelines for businesses that accept credit cards. The full acronym is PCI DSS, which stands for “payment card industry data security standard.”
PCI DSS provides businesses that accept credit cards with guidelines and an actionable framework to protect cardholder data. PCI DSS is governed by the PCI Security Standards Council, and it was originally created using information from Visa and Mastercard’s security programs.
As mentioned in the introduction, there are 6 categories of PCI regulations. You must:
- Have a secure card processing network
- Protect all cardholder information and data
- Protect your systems against malware
- Put strong access control measures in place
- Monitor and test your networks
- Create and maintain an Information Security Policy
Related Article: Visa’s Cardholder Information Security (CISP) program
Secure Card Processing Network
- Install firewalls to protect sensitive data, like credit card numbers.
- Change the default passwords and any other default security settings – When you receive hardware, software, system updates or security from vendors, update passwords and default security immediately.
Protect All Cardholder Information
- If you store card data, put proper security and access controls around any cardholder data you store.
- Use encryption when transmitting data – Make sure any cardholder information transmitted across public or open networks is properly encrypted to industry standards.
Protect Your Systems Against Malware
- Make sure you have proper, regularly updated antivirus and other security software in place.
- Maintain secure systems and applications, including patching any vulnerabilities.
Put Access Control Measures in Place
- Limit employee access to cardholder data – Ensure only authorized personnel have access.
- Track who has access to cardholder data by using unique IDs for each user.
- Restrict physical access – Ensure only authorized employees can access physical cardholder data.
Monitor and Test Your Networks
- Monitor and track anyone who has access to cardholder data and network and what they are doing with that data.
- Test your security systems and procedures for flaws or vulnerabilities.
Create and Maintain an “Information Security” Policy
- Create, maintain, and share an information security policy that clearly sets out how your organization deals with PCI-DSS and the responsibilities of employees and contractors.
Please note these are only high-level descriptions of the requirements laid out by PCI DSS. We recommend contacting your processor or visiting the PCI standards website to find out more.
Related Article: MasterCard’s Site Data Protection (SDP) program.
Is PCI Compliance required?
Yes, PCI compliance is required for all businesses that accept credit or debit card payments — even for businesses with very little volume.
Note that while PCI compliance is required for all businesses, until January 2017, validation of that compliance is not necessarily required for all business types. However, Visa has issued new rules requiring validation for all businesses starting in January of 2017. You can read more about it, including details on Qualified Security Assessors, in this article.
The burden of validating PCI compliance for a large segment of businesses is the responsibility of individual acquirers, processors and merchant service providers.
Merchant Levels & Compliance
PCI guidelines separate businesses into four levels depending on the number of transactions processed annually and the method used to transmit cardholder information.
Most businesses are classified as PCI level four, which is the least scrutinized level for businesses that process fewer than 20,000 e-commerce transactions and fewer than one million retail transactions annually.
For these merchants, it has traditionally been up to individual processors and merchant service providers to determine validation requirements, or whether to validate PCI compliance at all. However, in January of 2017, Visa will being requiring validation for all businesses, including level four merchants.
Processor Approaches to PCI Validation
Not surprisingly, processors and merchant service providers have taken several different approaches to validating PCI compliance — some better than others.
Compliance Support & Required Validation
Some large processors, such as First Data, require all businesses to validate PCI compliance, and provide PCI support programs to help businesses become compliant. These support programs typically carry some sort of annual or monthly fee.
Businesses that have not validated compliance are typically charged a PCI non-compliance fee that’s meant to serve as a reminder to become compliant.
First Data and other processors that have taken it upon themselves to require compliance from businesses also allow merchant service providers that use their processing services to maintain their own in-house compliance validation programs. The fees and requirements for such programs are left to the discretion of each provider so long as businesses validate compliance.
Merchant Service Provider Discretion
Currently, the most popular approach that large processors take to PCI is to leave compliance validation up to merchant service providers. This approach passes the PCI buck one more level, and opens the door for the provider to let businesses handle PCI validation on their own terms.
Merchant service providers that don’t check validation aren’t necessarily being irresponsible or devaluing the importance of PCI compliance. In fact, this approach is beneficial for businesses in a number of ways.
Freedom to Choose Vendors
PCI has created a cottage industry of scanning vendors, consultants and qualified security assessors, each with their own rates and fees. By allowing businesses to validate PCI on their own terms, merchant service providers make it possible for businesses to shop for vendors that closely match their needs.
Lower PCI Expense
Merchant service providers that provide a mandatory PCI validation service charge all businesses the same fee for the program. However, the cost of PCI compliance and validation is much less for retail businesses than it is for e-commerce business.
This leaves retail businesses paying more than their fair share for PCI validation, and e-commerce businesses paying less.
Merchant service providers that allow businesses to handle PCI validation themselves ensure that the price a business pays for validation is relative to how it processes credit cards.
The point of PCI is to ensure businesses are taking the necessary steps to safeguard credit card information. It’s important — especially for e-commerce businesses that transmit cardholder information electronically.
Merchant service providers that don’t check validation are assuming a business will validate on its own. Of course, this doesn’t happen 100% of the time, and PCI non-compliant businesses will slip through the cracks.
Visa Technology Innovation Program (TIP) for Validation Exemption
There is a way around yearly PCI validation. You must still maintain PCI compliance, but if you meet qualifications for Visa’s Technology Innovation Program (TIP), you may be exempt from validating compliance.
To qualify for the TIP program, you must:
1. Not store sensitive card information (such as card numbers, CVV, etc.) after the transaction is authorized
– AND –
2. Use qualifying equipment or solutions for at least 75% of your transactions. For TIP, this means that you must use one of the following options:
- A terminal that supports both EMV chip cards and mobile NFC payments.
- A validated point-to-point encryption (P2PE) solution.
To clarify, a chip-capable machine that cannot support contactless payments or a contactless-capable machine that cannot support chip cards are not qualified machines for the purposes of TIP.
Only P2PE solutions from the official list will count for TIP.
TIP is not available to ecommerce businesses and those who primarily accept credit card transactions by phone or mail.
You can contact your processing company about TIP, or submit an application yourself.
Costs of PCI Compliance
There are several different possible costs involved in PCI compliance. Your specific costs will vary depending on your setup, processor, and more. You can expect to pay for IT services (either employees or an external company) if you need assistance setting up secure networks, firewalls, etc. Some processors may charge a PCI compliance fee either monthly or annually. Not all processors charge a PCI compliance fee; however, lots of processors charge a PCI non-compliance fee. That is, a fee if you’re not up-to-date on all your compliance requirements. Think of it as an expensive reminder or warning to stay compliant.
Your processor should be able to help you with compliance. Lastly, if you do experience a data breach, you’ll likely incur expenses like fines from the card companies, costs of replacing customers’ cards, and more. The costs associated with a breach can be huge, and generally far outweigh the costs of ensuring you’re PCI compliant. It’s best to make sure that you become and stay PCI compliant to minimize the likelihood of a data breach.
Related Article: Is Data Breach Insurance Worth It?
Don’t forget that one of the most important – and time consuming aspects of PCI DSS compliance – is developing all mandated policies and procedures. As a PCI-QSA for years, I’m constantly having to deal with my client’s challenges of having little or no documentation in place. If you look at the actual standards, there’s close to 50 or so policies and procedures that need to be in place, so finding a comprehensive policy packet is a must. PCI DSS is not always about the technical aspects, there’s a lot of documentation that has to be in place, so just remember that! There are numerous providers online offering cost-effective templates, so now it’s easier and more affordable than ever to put in place all mandated PCI specific documents.