PCI compliance is the term used to ensure that you are meeting security standards when accepting payments. These PCI requirements are set by the Payment Card Industry Data Security Standard (PCI DSS) and are managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) meet the required levels of security when they store, process and transmit cardholder data.
Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.
There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network.
Data can be stolen from many areas, including but not limited to:
It is imperative that you identify any security weaknesses within your company regarding the protection of sensitive cardholder information. The security standards set by PCI DSS are to safeguard both your business and your customers.
There are various levels of PCI compliance which depend on the amount of payments your business processes each year (12 month period). The one component that remains necessary across the board is for businesses to achieve 100% PCI compliance and maintain it. Achieving this will keep the data of themselves and their customers safe.
Each of the five major credit card members of the PCI SSC have their own data security standards. Below is a simplified, general breakdown of potential PCI DSS requirements. As you can see, the breakdown of PCI CSS regulations are split into four merchant levels.
Therefore, PCI requirements depend on which level is applicable to your business. Each level will require merchants to complete the relevant PCI DSS Self Assessment Questionnaire (SAQ). This will provide evidence that the merchant has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and completed and submitted the Attestation of Compliance (AOC) to your acquirer.
If you would like any clarification on the information here, please visit the PCI Security Standards website.
