The progress of technology has brought with it new problems, and the financial sector is no exception. While the introduction of globally accredited debit and credit card payment systems has made life easier for consumers, it has also led to the development of new crimes and systematic ways of committing fraud. It is important that these issues are addressed, and measures are put in place to tackle them. In the early 1900s, there was no globally accredited payment system for debit or credit cards. However, a few decades later, plastic cards became commonplace and made payments easier. This technological advancement was welcomed by many as it reduced cash-based robberies. However, it also exposed new forms of financial crime, including identity theft, application fraud, account takeover, card skimming, phishing, and card-not-present frauds (CNP frauds). How can this fraud be contained? How can this crime be limited? Part of the answer is PCI-DSS.
What is PCI-DSS Compliance?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards developed by major credit card companies to ensure that businesses that accept, process, store or transmit credit card information do so securely and prevent data theft and fraud. Established in December 2004, PCI-DSS was created to enhance the security of cardholders’ and online customers’ data. The standard is governed by an independent body called the Payment Card Industry Security Standards Council (PCI SSC), which was formed in September 2006.
Although the primary goal of PCI-DSS is to ensure that businesses handle cardholders’ data securely, it is important to note that the payment brands, concerned banks, and acquirers are responsible for enforcing compliance, not the PCI SSC. Despite this, PCI SSC enforces compliance through a subtle approach by making it necessary for any business that processes financial transactions through credit or debit cards. While PCI-DSS may be perceived as a “good to have” program, it is as stringent as a governmental regulation. This brings us to PCI Certification.
What is PCI Certification?
PCI SSC guarantees the security of cardholders’ data with a business, merchant, organization, or company through a set of requirements. PCI Certification is valid proof from an organization or merchant that they follow the policies, guidelines, procedures, and best practices for secure payment processing specified by PCI SSC. Indirectly, the merchant/business makes it clear to their customers that they have done everything necessary to securely handle and safeguard the customer’s data during payment processing. This proof builds customers’ confidence because they have just been reassured that their data is secured and they are protected from identity theft, skimming, phishing, etc. It also encourages a lasting relationship between businesses and their customers.
To receive PCI Certification, you must prove to the PCI council that both the technological and administrative sides of your business that aid credit card transactions meet the PCI-DSS requirements. Merchants are expected to protect their customers’ data at all costs; that’s the rationale behind the request for compliance, knowing that both internal and external factors threaten the safety of customers’ information.
Who Should Comply With PCI-DSS Requirements?
To clarify, PCI-DSS requirements apply to any business or organization that deals with card payments, as PCI stands for “Payment Card Industry.” This includes merchants, acquirers, processors, issuers, and service providers that process transactions through users’ payment cards and transmit or store cardholders’ data (CHD) or sensitive authentication data (SAD). It is essential to note that all businesses, regardless of their size or seasonal nature, are expected to meet these requirements globally.
How to become PCI compliant?
To be PCI compliant, you must meet the below requirements and have these assessed yearly:
- Meet the set-out requirements by the Payment Card Industry Security Standards Council, as shown later in this article.
- Complete the necessary assessments, showing that your business transaction/payment system is secure. This often requires the help of a third party (depending on the size of the company), while most small businesses can perform an internal assessment/self-assessment.
- Continuously perform a scan of the network used to process payments. This technical exercise requires the help of a third-party firm.
PCI-DSS Compliance Levels
PCI has different levels of requirements based on the volume of payment processed by an organization in a year, as well as some additional factors. The lower the level, the less payment volume, and the less complex the compliance requirements. The same goes for implementing, auditing, and reviewing the organization’s compliance practices.
Each of the five major brands that make up the PCI-DSS body has a compliance program with different thresholds with which merchants must work. While they have different thresholds, they are similar in nature. Below are the four categories that a business can fall into, with level 4 being the lowest and level 1 being the highest level:
Level 1: Merchants who process over 6 million payment transactions annually
Level 2: Merchants who process 1 to 6 million payment transactions annually
Level 3: Merchants who process 20,000 to 1 million e-commerce transactions annually
Level 4: Merchants who process fewer than 20,000 e-commerce transactions annually, or any merchant who processes up to 1 million regular transactions per year.
While these levels remain the basic structure and categories that merchants have to deal with, any merchant that has experienced a cyber attack or hack that led to customers’ data loss may be moved up the ladder to a higher validation level. PCI SSC provides a wealth of materials and resources to guide merchants on how to protect cardholders’ data to ensure that they remain in business.
The 12 Requirements For PCI-DSS Compliance
- Install and maintain a firewall to ensure that network connections are tested and restricted from connecting to untrusted networks.
- Implement proper password protection by enabling only needed services, removing functionality from some devices where necessary, encrypting access, and avoiding the use of vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data by having policies for storing needed data, disposing of data, limiting what is stored, avoiding storage of certain types of data, and encrypting data. These encryptions should be done with encryption keys, which are also expected to be encrypted for compliance purposes. Regular maintenance should be carried out to ensure no unencrypted data exists.
- Encrypt cardholder data during transmission, especially when transmitted over open or public networks. Avoid sending unprotected account numbers via text, email, instant messaging, chat, or other end-user messaging channels.
- Use and regularly update antivirus software. Ensure that all software in use is protected with antivirus and constantly updated. Perform and document periodic scans and ensure that different pieces of software in use are running properly.
- Develop security systems and processes. This involves maintaining a vulnerability management program to find and take action on vulnerabilities that can come via software or human errors.
- Restrict access to cardholder data to a “need-to-know basis.” PCI-DSS requires that the roles that need access to sensitive data should be documented and updated if there is a change. This is to ensure that only staff, executives, and third parties who need access to sensitive data can have it. This means defining and documenting the level of access attached to each role and creating user privileges and control systems.
- Assign unique user IDs to everybody with access to the encrypted data. The activities of each user should be traceable through a unique access and identification program in the system. This brings about less vulnerability and a faster response time in case data is compromised. For example, multiple users should not have access to data through one login (username and password).
- Restrict physical access to cardholder data. While cardholders’ data is being protected digitally according to the above requirement, the same measure must be enacted for physical access to data. Cardholders’ data must be physically kept in a secure location. All data physically written, typed, and digitally kept (e.g., on a hard drive, disc, etc.) should be locked in a cabinet, drawer, or safe room. While there is limited access to this sensitive data, a record of the time these pieces of data are accessed should be kept to remain compliant. For organizations with dedicated rooms or offices to protect sensitive data, cameras can be used to monitor who/those in sensitive areas of the business per time.
- Track and monitor who accesses networks and cardholder data. All activities around cardholders’ data must be tracked via log entries, audit trails, time-stamped tracking tools, and reviewing logs for suspicious activities. It is important to note that the accuracy of software or tools used for tracking entries and user activities is equally part of the requirement for compliance. One of the common non-compliance issues is the lack of proper record-keeping and documentation when accessing sensitive data.
- Regularly test systems and processes by doing quarterly vulnerability scans, monitoring traffic, etc. This is important because the majority of PCI-DSS requirements, as seen in the above requirements, deal with several software products, physical locations, and a few assigned employees. Seeing that the software and processes that make up the system play a significant role in being PCI compliant, it is then important to regularly test these systems and processes.
- Have a policy on information security. This involves documenting how your company gathers data, stores it, and uses it after the point of sale. As mentioned earlier, logs of when cardholders’ data were accessed will also require documentation. To manage all data that flows into your company efficiently, create a standard operating procedure. This means writing and publishing a policy that outlines usage rules for specific technologies and explains everyone’s responsibilities. The policy should be reviewed at least once a year to ensure it remains up-to-date and effective in protecting cardholder data.
Benefits of PCI Compliance
While reading through the requirements for PCI compliance may seem overwhelming, it’s important to keep in mind the benefits that come with it. Being PCI compliant can help reinforce customers’ confidence in your business by assuring them that their data is safe. The benefits of being PCI compliant according to PCI SSC include
- You’re in business to make sales; being PCI compliant reinforces confidence in your customers to patronize your business, knowing that their data is safe with you.
- You need to work with acquirers and payment brands to collect payments from customers effectively; being PCI compliant increases your chances with these partners and your reputation as a company with a safe system for customers’ data.
- Meeting PCI Compliance makes complying with additional regulations easier, e.g., Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley Act (SOX), etc.
- PCI Compliance is not a one-time “set-and-forget” program; it is a system that must be monitored and nurtured through each phase of technological development. Fraudsters are not relenting, as the techniques of stealing cardholders’ data keep getting sophisticated. Being CPI compliant isn’t just doing your business brand a favor but simultaneously contributing to the global payment card data security solution.
What Are The Penalties For PCI-DSS Non-Compliance?
Non-compliance with PCI DSS requirements can result in various penalties, including high transaction fees or termination of your business relationship with the bank, which means your business won’t be able to process transactions. If there’s a data breach, the card brand will check your PCI compliance status with the bank. If you’re found to be non-compliant, you may face additional fines, in addition to those mentioned earlier.
According to the University of California, merchants may face fines of up to $500,000 per security breach for non-compliance. Additionally, you’re required to notify all cardholders whose information is believed to have been compromised in writing. Considering the cost of this mandatory notification to the affected individuals, the potential cost of a security breach can exceed $500,000 when the cost of customer notification and recovery is added.
Below is the list of the potential cost of a security breach:
- $500,000 fines per incident for being PCI non-compliant
- Increased audit requirements
- A possible shutdown of credit card activity by the bank
- The cost of printing and postage for customer notification mailing
- The cost of staff time (payroll) during security recovery
- The cost of lost business during register or store closures
- The loss of customers’ confidence which will lead to decreased sales
- Destroyed brand reputation
Non-compliance with PCI requirements can result in costly legal expenses and settlements if affected customers or clients decide to sue the company. Credit card companies can also take legal action against businesses that fail to meet PCI guidelines. While larger organizations may have the resources to survive such a breach and lawsuit, it can be devastating for small businesses. That’s why it is crucial to remain compliant with PCI requirements. While the process of becoming and staying compliant may be rigorous, stressful, and expensive, it is still more cost-effective and emotionally manageable than the consequences of non-compliance.
The PCI-DSS framework is primarily designed to ensure the secure handling of payment data, but the procedures and processes it lays out can also be valuable for safeguarding any sensitive data. At Identity.com, we believe that developers responsible for handling Personally Identifiable Information (PII) and other sensitive information can benefit from leveraging PCI-DSS compliance to ensure that such data is handled securely. Our open-source ecosystem provides access to on-chain and secure identity verification solutions that enhance user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. For more information, please refer to our docs.