How to Become PCI CompliantRead article
Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
This rise in card transactions led to the introduction of the Payment Card Industry Data Security Standard (PCI DSS). The standard aims to protect card information and prevent unauthorized usage.
If you’ve ever wondered, “who needs to be PCI compliant?” the answer is any business that accepts debit or credit card payments — much like the businesses engaging in the 39.6 billion transactions highlighted above.
While that explanation seems simple, there’s a whole lot more to PCI compliance than meets the eye.
Below, we cover when PCI compliance is required, exactly what types of businesses it applies to, and what happens if you’re not compliant.
The Payment Card Industry Data Security Standard (PCI DSS) is mandated by credit card companies to keep cardholder data safe. The standard provides guidelines for storing, transmitting, and processing card payments securely.
These security guidelines are outlined within the 12 PCI DSS requirements. Each requirement must be met in order to achieve PCI compliance.
How to Become PCI CompliantRead article
Yes. PCI compliance is required for any business that processes, stores, or transmits cardholder data — regardless of the size and scale of your business.
A small business that handles 100 card transactions a year must comply with PCI DSS, just like an enterprise-level business that handles 1 million transactions.
However, PCI compliance for a small business will look a bit different from an enterprise-level organization. We’ll dig into these differences below.
PCI DSS applies to any organization that accepts, handles, stores, or transmits cardholder data. The standard also applies to any organization that impacts the handling, storage, or transmission of cardholder data.
Simply put, PCI DSS applies to any business that accepts credit and debit card payments.
The PCI DSS standard splits businesses into two main categories: merchants and service providers. We discuss the differences between the two below.
A merchant is any business that accepts payments with a card bearing the logo of any of the five major credit card companies: American Express, Visa, Mastercard, Discover, and JCB.
The steps for complying with PCI DSS will vary depending on which of the four PCI compliance levels your business falls under. These levels are determined by the number of card transactions your business handles in a given year.
Here’s a breakdown of the merchant compliance levels:
A service provider is directly involved with processing, storing, or transmitting cardholder data on behalf of a merchant.
A company that provides services that control or could impact the security of cardholder data is also considered a service provider.
Common examples of service providers include:
There are two compliance levels for service providers, which are determined by the number of transactions they store, process, or transmit.
Your service provider level dictates the reporting requirements you will need to prove compliance. For example, a Level 1 service provider will undergo annual audits conducted by a QSA to prove compliance, while a Level 2 service provider will complete an annual SAQ D.
There are a few consequences for businesses that fail to comply with PCI DSS.
Most notably, you could lose the ability to accept card payments. Your acquirer (aka your acquiring bank) could choose to terminate your relationship, leaving you unable to accept card payments.
Businesses may also face non-compliance fines and an increase on transaction fees.
Another potential consequence of non-compliance is a data breach. Since PCI DSS requires businesses to maintain security controls to keep cardholder data safe, non-compliance could mean that cardholder data is vulnerable to a breach.
If your business experiences a cardholder data breach, you may be required to follow validation requirements for a higher compliance level. For example, if a Level 4 business experiences a data breach, they may be required to follow the reporting steps of a Level 1 merchant, which is a much more stringent process.
Why is PCI Compliance Important?Read article
Becoming PCI compliant is no easy task.
Our team can help you navigate the 300-plus security controls and 12 requirements to achieve and maintain PCI compliance and lift some of the burden of compliance from your team’s shoulders.
Request a demo to find out more today.