Wondering about PCI Compliance? We explain what it is, why it matters, and why you must adhere to it.

What Is PCI Compliance?

PCI compliance is a requirement to meet a set of technical and operational standards for protecting credit card data. PCI Compliance Standards are set by the PCI Security Standards Council.

The goal of PCI (Payment Card Industry) compliance is to protect customer financial information as technology evolves. The PCI Data Security Standard (PCI DSS) is a set of standards requiring all companies that process, store, or transmit credit card information to maintain a secure environment.

PCI standards are updated and managed by the PCI Security Standards Council (PCI SSC). The council is led by an executive committee with representatives from major credit card companies, such as Visa, American Express, and Discover. Outseer closely monitors developments in the compliance space and actively participates on the PCI SSC Board of Advisors.

Meeting and Maintaining Compliance

PCI DSS applies to any organization that accepts, transmits, or stores credit card information. Companies must comply with these standards regardless of how many transactions they process. PCI compliance is not a one-time assessment, either. It is an ongoing process that requires regular evaluations of the systems and practices organizations have in place to keep cardholder data safe.

PCI Compliance Penalties

The passing grade for PCI compliance is 100%, meaning one missed criterion puts a business in noncompliance. If a breach were to occur, and the lending bank or credit card company found your organization was in noncompliance at the time, you could be subject to hefty fines.

These fines can range from $5,000 to $500,000 depending on the size of your business and degree of noncompliance. You could also lose your ability to accept credit card payments for several years. And organizations that are monitored by the FTC may be subject to an FTC audit.

Lastly, customers who suffered a loss due to your non-compliance may file lawsuits against you. Not only are these time-consuming and expensive, but they also obliterate your brand image, costing you future business.

PCI Compliance Levels

The type of requirements your business must follow is determined by the number of transactions processed annually. This means small businesses will approach PCI compliance differently than an enterprise organization.

There are four merchant levels described by the PCI SSC:

Level 1: Merchants that process over six million card transactions annually.

Level 2: Merchants that process one to six million transactions annually.

Level 3: Merchants that process 20 thousand to one million transactions annually.

Level 4: Merchants that process fewer than 20 thousand transactions annually.

To ensure that payment information is protected, each level must undergo an assessment. Level 1 merchants must conduct an external audit conducted by an ISA (Internal Security Assessor) or QSA (Qualified Security Assessor).

Merchants between levels 2 and 4 can complete a self-assessment questionnaire (SAQ). It’s important to take your time when completing the self-assessment and answer truthfully, as dishonest answers can result in severe penalties if a breach occurs.

Compliance Requirements

There are both technical and procedural requirements set forth by the PCI SSC to meet PCI compliance.

Below are 12 of the key requirements to meet compliance:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update antivirus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data on a need-to-know basis
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Depending on your organization’s size and structure, meeting compliance can take time. Having robust internal IT policies along with a systems administrator who manages the network can help keep your company compliant.

There are numerous auditing tools that can scan your network to identify and prioritize issues keeping you non-compliant. Administrators may need multiple tools to properly audit network configuration, access rights, and sensitive information storage.

There are both technical and procedural requirements set forth by the PCI SSC to achieve PCI compliance.

Below are 12 of the key requirements to meet compliance:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data
  5. Use and regularly update antivirus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data on a need-to-know basis
  8. Assign a unique ID to each person who can access cardholder data
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors

Depending on your organization’s size and structure, meeting compliance can take time. Having robust internal IT policies along with a systems administrator who manages the network can help keep your company compliant.

There are numerous auditing tools for scanning your network to identify and prioritize issues that are keeping you noncompliant. Administrators may need multiple tools to properly audit network configuration, access rights, and sensitive information storage.

Protecting Against Card-Not-Present Fraud

Organizations can fall in and out of PCI compliance, which can potentially leave credit information exposed. If stolen, this information can be used to make unauthorized purchases.

Even if your business is PCI compliant, credit card information stolen elsewhere can be used to make unauthorized card-not-present (CNP) transactions.

In the case of CNP fraud, business owners can end up footing the bill for each transaction. This not only results in a loss of revenue but can end with payment processors terminating their accounts with your business. According to the Aite-Novarica Group, loss from CNP fraud is expected to top $17.2 billion by 2023.

There are a few steps you can take to protect yourself from fraudulent charges:

  • Implement EMV® 3-D Secure (3DS) payment authentication protocol
  • Keep websites and online tools updated
  • Require billing address (AVS) and CVV verification
  • Leverage firewall rules to limit exposure to risky transactions

The Outseer Solution: Stop Fraud, Not Transactions

Outseer 3-D Secure builds on the 3DS standard to provides the best in payment authentication without sacrificing user experience. With the Outseer Risk Engine at its core and information intelligence from our global data network partners, Outseer 3-D Secure transparently evaluates each transaction in real-time to prevent 95% of all fraud, with only 5% of transactions ever requiring intervention.

By seeing what others can’t, we push losses down and revenues up while helping you maintain PCI compliance. To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.

マーク・クライトン

Chief Product Officer

With over 20 years’ experience in architecting, deploying, developing and strategic consulting within the realm of global IT security and payment security solutions, I am uniquely positioned with real world practical experience, knowledge and a reputation for being resolutely focused on consumer needs, strategic advantage and driving to a solution that maximises competitive advantage.

My passion with technology is defining and creating a seamless user journey, fusing technical know-how with an understanding of current business issues, to help achieve business goals through technology.