Payment Card Industry Data Security Standard (PCI-DSS) compliance is a critical procedure for merchants of all sizes. If your business processes card payments, you are required to comply with merchant guidelines. Failure to comply can result in financial penalties or loss of the ability to process cards for payment. In this blog, you'll learn who is required to comply with PCI-DSS, and some of the requirements, so you can begin mitigating your risk.
Who is Required to Comply with PCI Regulations?
PCI is required for any organization that accepts, transmits, or stores any cardholder data. Organizational size, industry, or geographic region has no impact on whether or not you are required to comply with PCI.
What is Required to Comply?
Compliance requirements vary according to the "level" your business is designated as. Organizations are categorized with a level number from one to four, depending on the volume of cardholder data processed on an annual basis. However, your level can vary according to card merchant requirements.
Your organization may have one level with Visa but a different level according to American Express' standards. It is important to determine, with the help of a qualified assessor, your "level" with each of the major card merchants:
- Visa®
- Discover®
- Mastercard®
- American Express®
A sample of possible merchant guidelines is displayed below. This example is not designed to capture up-to-date merchant requirements. It's simply used to illustrate some of the criteria merchants use to determine an organization's level of compliance requirements.
| Merchant Level | Definition |
| 1 | >6 million transactions per year |
| 2 | 1–6 million transactions per year |
| 3 | 20,000 to 1 million eCommerce transactions per year |
| 4 | Fewer than 20,000 eCommerce transactions per year, or fewer than 1 million non-eCommerce transactions per year |
After determining the level of compliance required by your organization, you must demonstrate compliance with the twelve areas covered under PCI guidelines. This includes the following major areas of compliance, each of which includes a number of sub-requirements:
- Use an up-to-date firewall
- Implement password change policies
- Do not store unencrypted card data
- Use encryption to protect the transmission of card data
- Keep antivirus software up to date
- Keep all security patches up to date
- Limit access to cardholder data
- Assign unique user identification and credentials for accountability
- Restrict physical access to cardholder data
- Monitor your network
- Perform regular testing on a quarterly and annual basis
- Continually train and educate your staff
How to Ensure You're PCI Compliant
The PCI Security Standards Council recommends a three-part process to ensure compliance:
Continual assessment – PCI compliance should not be something that you worry about only once a year; rather, it should be an ongoing, year-round effort to ensure your IT environment stays secure and you have mitigated your risk of suffering a data breach.
Immediate remediation – Anything that causes your organization to fall out of PCI-DSS compliance should be addressed promptly. Given the critical nature of credit card data and the evolving cybercrime threat landscape, immediate action must be taken when an issue is detected. "It can wait until tomorrow," simply isn't an option.
Report – Like PCI compliance itself, reporting should occur on a regular basis, not just once a year when completing your Report on Compliance (ROC). This provides essential feedback, ensuring you remain PCI-DSS compliant. Many IT security tools within your PCI environment, such as file integrity monitoring software, can provide real-time insight into your risks. Unfortunately, many organizations don't pay attention to this valuable data.
A self-assessment may not reveal all of your vulnerabilities, particularly at organizations with complex data flows. Organizations of all sizes should consider hiring a Qualified Security Assessor (QSA) or certified PCI expert to perform the following aspects of a comprehensive assessment:
- Verify merchant standards
- Confirm standards are met
- Provide guidance on compliance requirements
- Complete onsite assessment
- Evaluate adherence to PCI policy standards
- Produce an ROC for merchant submission
Data Security
While specific requirements can vary according to your compliance level, few organizations are exempt from adhering to PCI requirements. By implementing a comprehensive approach to information security, including continual assessment, a culture of remediation, and reporting, you can significantly reduce your company's risks of a data breach.
While PCI represents best practices for cardholder data protection, it also allows organizations to protect their employees and customers from cybercriminals.
