On at least a weekly basis, I type my credit card information into my computer to make a purchase of some kind. From clothing to groceries, we can pretty much purchase anything online. At this point, I don’t give my online purchases a second thought.
While the number of online purchases we make continues to drastically increase in volume, so does the amount of credit card data that is stolen each year. At the end of 2018, Marriott International announced that they had experienced a data breach impacting around 500 million customers.
How can we be sure the online retailers and service providers collecting our credit card data are taking the necessary measures to secure our information? This is where PCI compliance comes in.
What is PCI compliance?
Payment processing security has a relatively long history. As online payments became more common in the early 2000s, so did security breaches. At the end of 2004, the five major credit card companies (American Express, Discovery Financial Services, JCB International, MasterCard, and Visa Inc.) banded together to create the Payment Card Industry Data Security Standard (PCI DSS) version 1.0. All merchants dealing with payment processing were required to comply with the new standard. To support the continued evolution of PCI DSS, these five companies formed the Payment Card Industry Security Standards Council (PCI SSC) to oversee the future of payment processing standards. PCI DSS has gone through many revisions that include major shifts and minor clarification. At the time of writing, we are on version 3.2.1.
Today, the PCI DSS is a globally accepted standard.
While the PCI DSS is not required by the government, PCI compliance is enforced. PCI enforcement is upheld in part by the Federal Trade Commission (FTC) as well as by the five companies that make up the PCI SSC. Merchants agree to meet the PCI DSS as a part of their contractual obligation with the credit card companies.
Who needs to comply with the PCI DSS?
This is an easy answer. Regardless of size, age, or number of transactions, the PCI DSS applies to ALL organizations accepting, transmitting, or storing cardholder data. The PCI DSS is divided into several merchant levels that are differentiated by the amount of transactions processed per year.
Level 1: Merchants processing over 6 million card transactions per year
Level 2: Merchants processing 1 to 6 million transactions per year
Level 3: Merchants handling 20,000 to 1 million transactions per year
Level 4: Merchants handling fewer than 20,000 transactions per year
There are different reporting requirements for each merchant level. However, your organization’s merchant level does not affect your need to remain PCI compliant.
What happens if you don’t comply?
Most of the standards outlined in the PCI DSS are security best practices, so it’s in your best interest to remain compliant.
However, if you fail to achieve or maintain compliance, the card brands in the PCI SSC can choose to dole out fines anywhere between $5,000 and $100,000 per month until compliance is achieved. For repeated violations, the card brands may revoke the merchant’s privileges to accept payments using their cards entirely.
How does compliance affect me?
At first glance, achieving and maintaining PCI compliance may seem burdensome and expensive. But PCI compliance will result in a number of benefits for your organization. Here’s a list of the top benefits you can count on.
1. Peace of mind for your customers.
In 2017, nearly half of all Americans had their records exposed during the Equifax data breach. With breaches from Adobe to Target, consumers’ concerns about privacy have never been higher. At this point, just about everyone has been impacted. You want to ensure that your customers can trust that their data is safe with your organization. Achieving PCI compliance spreads peace of mind and creates brand-loyal, returning customers who willingly refer colleagues, friends, and family.
2. Positive brand reputation.
It should go without saying, but you do not want to experience a data breach. If you’re able to survive the financial burden that comes with a breach, you’ll need to clean up the impact it has on your brand perception. In competitive industries, your brand is one of your strongest assets. As breaches continue to be a problem, being a PCI compliant organization increases trust in your brand. Achieving and maintaining PCI compliance is an investment in security and an investment in the long-term health of your brand.
3. Compliance in other areas.
Security is a wide-spread concern and has been for a long time. Across the globe, companies and government bodies are starting to enact large-scale security protocols to keep data safe. If your organization plans to do business across industries or countries, there may be other areas where you need to achieve compliance. For example, the EU requires organizations to remain compliant with the General Data Protection Regulation (GDPR). Some of the basic tenets of GDPR and PCI overlap, such as requiring organizations to limit the amount of sensitive information they store.
Once you meet the compliance standards for the PCI DSS, you may meet the requirements for compliance with other standards. Plus, your team will be prepared to meet new requirements when other compliance standards come up.