To put it simply If you handle credit and/or debit cards for any sort of payment (online, offline, telephone, etc.) – you need to be PCI DSS compliant.
Failure to do so could cost your business thousands of pounds or even mean your business will be barred from accepting cards in the future.
Being PCI compliant means adhering to the Payment Card Industry Data Security Standard (PCI DSS) as defined by the defined by the Payment Card Industry Security Standards Council. In plain English, it is a way of ensuring that safeguards are in place to protect consumer card data.
To be compliant today your payment service provider needs to adhere to version 3.2 of the PCI standard, which was introduced in April 2016.
Requirements to Be PCI Compliant:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
You can read all 139 pages of the Requirements and Security Assessment Procedures version 3.2 here.
Sections
Does PCI-DSS apply to my business?
If your business handles credit and/or debit card data in any way then yes it does? However, that said your merchant account provider should make this process very easy for you and include it as part of their package.
PCI-DSS Levels & Compliance Validation Requirements
Depending on the number and type of transactions your business process you will fall into one of 4 levels. The following are based on Visa’s guidelines.
Level 1
Criteria: Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region.
Compliance Requirements:
Every year:
- File a Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor (“ISA”) certification.
- Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).
Level 2
Criteria: Merchants processing 1 million to 6 million Visa transactions annually across all channels
Compliance Requirements:
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”)
- Submit an Attestation of Compliance (“AOC”) Form
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”)
Level 3
Criteria: Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
Compliance Requirements:
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”)
- Submit an Attestation of Compliance (“AOC”) Form
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”)
Level 4
Criteria: Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
Compliance Requirements:
Every year:
- Complete a Self-Assessment Questionnaire (“SAQ”).
- Submit an Attestation of Compliance (“AOC”) Form.
Every quarter:
- Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”) (if applicable).
Does using a 3rd party payment processing platform exempt me?
No all businesses that accept credit cards must remain PCI compliant no matter how they handle cards.
Do I meet PCI Compliance simply by having a payment gateway and/or SSL certificate?
No, while payment gateways and SSL certificates can help you meet your PCI compliance requirements, having them on their own will not be enough.
What are the consequences of non-compliance?
Not complying with your requirement commitment could mean you are banned from accepting cards and/or increased fees to process cards. Moreover, fines that can range from £3,000 to £60,000 depending on your bank’s merchant account agreement may also be levied.
It is very important you familiarise yourself with their Terms & Conditions before signing up with one.
How much does it cost?
While becoming PCI compliant is not free it is much cheaper than the alternatives. Costs can range from as little as £100 for basic network vulnerability scan, all the way up to £50,000 for a full audit for level 1 merchants.
Generally speaking those these costs are a tiny fraction of what it costs if a data breach occurs. The fines can be as high as £79 per record, which means that even if you just process a few hundred transactions a month your business could be faced with crippling fines.