Accepting payments online comes with some risks. There will always be fraudsters who try to steal payment information from insecure networks, which is why PCI compliance is more important than ever.
If you take payments through your website, it’s important that you understand PCI compliance and what it means for your business. If you don’t take it seriously, you could be exposing your customers and your business to unnecessary risk.
A 2017 Verizon Data Breach Incident Report found that there were nearly 42,068 data security incidents that year. Don’t let your business be one of them.
You’ve probably heard about PCI compliance before, but you may not know what it is and why it’s relevant. In this post, we’d like to break everything down for you.
What Is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a group of standards set by the PCI Security Standards Council (PCI SSC) regarding how businesses process credit card payments.
The PCI SSC was started by the major credit card companies: Visa, MasterCard, American Express, Discover, and JCB. Originally, they all had unique security standards, but they joined together in 2006 to standardize everything.
The goal of the initiative is to protect sensitive consumer information, including credit card numbers. This is good for the consumer because it reduces the chance of businesses misusing their personal information or hackers and scammers stealing it. It’s also good for the payment processing industry because it reduces the likelihood of chargebacks and unpaid debts.
While PCI compliance isn’t a law, you’ll have to abide by the standards if you want to work with any of those companies (and you pretty much have to if you want to process credit cards).
What counts as sensitive information? The primary account number, cardholder name, expiration date, service code, magnetic strip data, chip, CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and anything else you use to process a transaction.
PCI DSS set 12 requirements you need to adhere to in order to safely and securely accept, store, process, and transmit cardholder data. If you fail to follow even one, you aren’t compliant. Each requirement addresses an important component of information security.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
If you make any type of financial transaction, it’s your responsibility to be PCI compliant. This includes accepting credit cards over the phone.
Additionally, it’s your job to make sure that any vendor who provides you with software or services, or any company or person you hire, are PCI compliant as well.
For example, if you use Stripe to process your credit card payments, you can be held accountable if their service is found to be non-compliant. (Fortunately, that’s not a major risk with Stripe, which is why we recommend them.)
You’re expected to be PCI compliant regardless of the size of your business, even if you process just one transaction per year. If not, you could face serious penalties.
For the most up to date information, it’s always best to visit the PCI SSC website. Their standards change regularly and change depending on your business, so you’ll want to keep yourself updated. Make yourself aware of the content on their Merchants page.
PCI Merchant Levels
The type of security you need depends on the number of payments you run annually. The more transactions you process, the more attractive you are to hackers and malicious parties, so PCI compliance is broken down into four levels:
Level 1 is for merchants who process more than six million transactions annually. They’re required to submit to quarterly network scans by an Approved Scanning Vendor and annual compliance report by a Qualified Security Assessor. They also have to undergo penetration tests.
Level 2 is for merchants that process one million to six million annual transactions. They have to submit to an annual Self-Assessment Quiz (SAQ), an on-site assessment conducted by a Qualified Security Assessor (QSA), a quarterly network scan, and penetration testing.
Level 3 is for businesses that process 20,000 to one million annual transactions. Level 4 is for businesses who process fewer than 20,000 annual transactions. Both are required to conduct an annual Self-Assessment Quiz, quarterly network scan, and a few other requirements. Most businesses fall into level four, the lowest category.
In some cases, the PCI SSC raises certain merchants to higher ranks depending on their type of business (some come with higher risk than others) or if they’ve suffered a data breach in the past.
Penalties of Noncompliance
If you aren’t compliant with PCI standards, you run the risk of suffering from data breaches. If a malicious person gets a hold of your customers’ payment information and creates faulty charges, the credit card companies are forced to incur illegitimate expenses, so they take noncompliance very seriously.
The payment brands (Visa, MasterCard, American Express, Discover, and JCB) can fine merchants, banks, or other payment processing vendors for noncompliance at their discretion. These fines are often between $5,000 and $10,000 per month.
You can also be required to pay for card replacement costs (when credit card users need their accounts or cards changed because they’ve been compromised) and costly forensic audits into your business.
Even worse, you can be held civilly liable for monetary damages your customers experience due to careless processing. That means people can sue you for the money they lose if your lack of compliance compromised their personal information.
Furthermore, payment brands are within their rights to increase their fees for your business. If they decide you’re too much of a risk, they can cease doing business with you entirely. The credit card brands aren’t public with their methods for assigning fees, but their justice can be quite damaging to small businesses. This is why it’s so important that you understand what being PCI compliant means and whether you are.
Most merchants process transactions through payment gateways. You probably recognize names like Stripe, PayPal, Authorize.net, etc. Gateways are front-end platforms that connect to the credit card banks.
This means you don’t need to have individual arrangements with the credit card banks. When you work with a gateway, they take the inputs you give them (the customers’ payment information) and route that data to the appropriate bank. They also provide a number of fraud detection tools that protect everyone.
Here’s a bit of good news: If you use a payment gateway, you’re most likely PCI compliant already because the gateway ensures you are. Their entire business model relies on a good relationship with the credit card brands, so they don’t take any risks. For instance, Stripe outright prohibits certain businesses to use their platform because those businesses come with a high risk.
Plus, using a gateway means you can leverage their reputation. If you were to try to set up an arrangement directly with Mastercard, for instance, it would be expensive because Mastercard wouldn’t have much reason to trust you.
But if you use a gateway like Stripe, you aren’t Mastercard’s customer. Stripe is Mastercard’s customer, and Mastercard trusts Stripe because they’ve processed millions of successful transactions together. That means Stripe gets a better rate than you ever could.
Does using a payment gateway mean you can ignore PCI compliance? Absolutely not.
There are lots of ways you could violate PCI compliance that have nothing to do with the gateway. For instance, if you wrote your customers’ credit card info on a piece of paper and taped it to your wall, you’d be violating the PCI standards, but there’s no way the gateway could protect you.
PCI Compliance Standards Change
Sadly data thieves, hackers, and malicious parties are creative and sophisticated. They adapt their methods to new security technologies just as fast as we can protect ourselves.
So the last thing you need to know about PCI compliance is this: Standards change all the time. What’s acceptable today might not work tomorrow. If you manage your own payment processing, it’s critical that you stay abreast of the changes so you don’t leave yourself vulnerable.
If you use a payment processor (like Stripe, PayPal, Authorize.net, etc.), the processor will keep you compliant (if that’s one of their features), but it’s still good to understand the changing landscape.