What is PCI Compliance?
There are four levels of payment card industry data security standards (PCI DSS), designed to help protect business and customers from data theft and fraud. Merchants and payment providers need one of the different levels of certification, depending on how transactions are processed and the number handled per year.
PCI DSS compliance applies to all kinds of payments: in person (card machines), online, over the phone and by mail. Cardholder present, or not, without compliance you can’t process these payments.
How To Become PCI DSS Compliant
Merchant acquiring banks and payment providers will all have a preferred Quality Security Assessor (QSA), which is your first call for gaining the relevant PCI certificate for your business.
There are four levels of compliance, starting with integration requirements that all businesses that process online payments have to adhere to:
- Form Integration: A simplified online self-assessment questionnaire, regardless of the number of annual transactions processes.
- Server & Inframe Integration: Monthly or quarterly vulnerability scans, performed by a PCI SSC Approved Scanning Vendor (ASV). Your merchant acquiring banks QSA will have a preferred provider for this service.
Level 4: Less than 20,000 transactions/year.
Simplified online self-assessment, with monthly or quarterly vulnerability, scans to verify compliance. No additional software is needed, and the approved ASV would not undertake attempted denial of service attacks.
Level 3: 20,001 – 1 million transactions/year.
A more detailed certificate process, followed by remote assessment, compliance validation and monthly scans (across 10 IP addresses) and an SSL certificate validation.
Level 2: 1 – 6 million transactions/year.
A detailed certification application process, followed by remote assessment, compliance validation and monthly scans (via 50 IP addresses) and an SSL certificate validation.
Level 1: Over 6 million transactions/year.
The highest level of the application process, followed by on-site assessments, digital penetration tests and monthly vulnerability scans, along with SSL certificate validation.
How Is PCI Compliance Monitored?
Overseeing the various levels of regulatory checkups is the Payment Card Industry Security Standards Council (PCI SSC), which was launched on September 7, 2006, to manage the evolving payment security landscape. The major card brands accurately expected the Internet to be the next frontier for card payments, consumer trends and fraudsters alike.
Nothing could cripple the industry more than the risk of consumers losing faith in the brands behind their favourite credit or debit cards. The PCI SSC was designed to safeguard this, issuing the compliance certificates that merchants, banks and payment providers now have to implement and monitor.
It was founded and support by Visa, MasterCard, American Express, Discover and JCB, although the council is not responsible for enforcing compliance.
When a business, a merchant for example, is out of compliance or suffers a data breach they can be fined by the entity (acquiring bank or payment provider) that processes their card transactions. Businesses responsible for allowing a data breach to take place whereby consumer data is stolen can be subject to much larger fines, both from banks and card issuer brands. Card providers can also step in and try to resolve a compliance matter directly with a merchant or bank.
Given the power card brands have to enforce compliance, including monthly fines from $5,000 to $100,000, this is something all merchants, especially small businesses need to take seriously. The PCI SSC recommends being ‘familiar with your merchant account agreement, which should outline your exposure.’
For more information it is also worth reading these FAQ’s from the PCI SSC: https://www.pcicomplianceguide.org/pci-faqs-2/#4
One way to reduce your PCI liability is to utilise tokenisation when taking online card payments. This removes the card data element of a merchant’s PCI compliance, instead card details are stored by a Level 1 payment services provider (Secure Trading), and a token that has no value is used by the merchant to process transactions.
To find out more about how Secure Trading can help you become PCI compliant and more about tokenisation contact the team who will be delighted to answer your questions.
You may also be interested in downloading our whitepaper on Payment Tokensiation: The Future Of Payment Fraud Prevention.