If you sell anything online - or even just follow the news related to recent credit card fraud - you’re probably aware that there are standards governing online payments. When those standards are violated, massive opportunities for fraud can occur. As an online merchant, it is critical to take measures to protect customer card data. The success of your business depends on it.
Fortunately, there’s a set of established rules to protect customer card data. It is called the Payment Card Industry Data Security Standard (PCI DSS), and it is governed by the Payment Card Industry Security Standards Council (PCI SSC). These rules are better known in our business vernacular as PCI compliance.
PCI DSS is made of 6 goals with 12 main requirements, which are as follows (according to the PCI DSS Quick Reference Guide):
In order to adhere to these rules, merchants must complete a self-assessment (specific to their transactional behavior) to understand where they are already adhering to PCI DSS and where there may be gaps.
Within the PCI DSS standards, there are 4 levels of PCI compliance. These levels are based on the annual number of transactions for any given merchant.
PCI Compliance Level 1 - greater than 6M Mastercard or Visa transactions annually, OR, a merchant that has experienced an attack resulting in compromised card data, OR, a merchant deemed level 1 by a card association.
PCI Compliance Level 2 - between 1M and 6M Mastercard or Visa transactions annually.
PCI Compliance Level 3 - between 20,000 and 1M e-commerce Mastercard or Visa transactions annually.
PCI Compliance Level 4 - less than 20,000 card Mastercard or Visa e-commerce transactions annually, OR up to 1M Mastercard or Visa transactions annually.
Levels 2, 3 and 4 all have the same validation requirements - yearly self-assessment using the PCI SSC self-assessment questionnaire, a quarterly network scan by an approved scanning vendor (also available through PCI SSC), and an attestation of compliance form.
Given the higher level of transactions associated with level 1, the validation requirements are a bit more stringent. For PCI level 1 compliance, the merchant is required to have yearly assessments of compliance by a Qualified Security Assessor (QSA), in addition to the requirements for levels 2, 3, and 4.
The yearly compliance assessment will consist of a number of steps by the QSA, including an examination of your point of sale (POS) system, a detailed review of areas of vulnerability, and a prioritized list of improvements to make to prevent attacks. Your job once the assessment is over (if you haven’t done this already) is to develop security protocols that will monitor your systems for compliance going forward.
Though this may seem like a long, arduous process, the risks of remaining noncompliant are astronomical. Not only would a customer card data breach tarnish the reputation of your business, you could also expect to be sued - not by PCI SSC, but by Mastercard and Visa, and potentially any number of banks. Target’s data breach resulted in a payment of $39M to a handful of US banks that service Mastercard, and settled with Visa for $67M. And that doesn’t even count the class action lawsuit filed directly by Target customers, which Target settled for $10M.
The best place to start if you’re new to PCI compliance (or even just level 1) is the PCI Security Standards Council website. There you’ll find tons of resources and PCI SSC-approved vendors.
And there are also a whole host of PCI compliant vendors in the marketplace who will handle the process - with minimal intervention from you.
PCI compliance is definitely a complicated process - and with good reason. Customer payment data is at stake, and any business wishing to use it must do the utmost to protect that data. If the process is too overwhelming to take on yourself, find a PCI compliant vendor to help walk you through it. But even so, make sure you are fully aware of PCI compliance standards, as your business is ultimately responsible.