The PCI was launched in 2006, around the time when online payment processing systems began emerging and growing in popularity. As online transactions began trumping offline cash payments, security standards had to be created. The five largest credit card companies—Visa, MasterCard, Discover, American Express and JCB International—formed the PCI SSC (Security Standards Council) and created the PCI DSS to help prevent costly data breaches of sensitive financial information.

The PCI SSC is responsible for developing the PCI DSS, which has six major objectives, 12 key requirements, 78 base requirements and over 400 test procedures.

Why PCI data security standards are important

Electronic payment methods leave a paper trail, one that includes sensitive data that could harm an individual if put in the wrong hands. Hackers who get access to cardholder data make fraudulent purchases, and this affects the cardholder, the merchant, and the bank/credit card company.

First and foremost, PCI data security standards protect the victims of fraud. These standards give consumers greater peace of mind that they won’t be held responsible for unauthorized charges and that they will be refunded any fraudulent expenses.

When fraudulent transactions are made, it’s usually either the merchant or the bank that pays. In 2019 alone, reported dollar losses for credit card fraud totaled $135 million according to the Federal Trade Commission (FTC). Other significant losses include $439 million through wire transfers, $103 million through gift and reload cards, and $89 million in debit bank accounts. That’s a lot of money at stake that merchants and banks do not want to lose. That’s why it’s critical for organizations to follow PCI compliance standards.

The PCI DSS applies to any organization that processes, stores or transmits payment card data. If you’re a merchant, you need to follow the PCI guidelines regardless of whether you’re set up offline, online or both. Since cardholder data travels across an array os systems, PCI compliance standards apply to:

• Card readers
• Point-of-sale (POS) systems
• Store networks
• Payment card data storage
• Paper records
• Online payment applications
• Online shopping carts

PCI compliance levels based on business size

The PCI DSS applies to many businesses but the compliance requirements are not the same for all organizations. There are four levels of compliance that are based on the number of transactions that a business handles each year.

1. Level 1: Over 6 million transactions per year on any acceptance channel
2. Level 2: 1 million to 6 million transactions per year on any acceptance channel
3. Level 3: 20,000 to 1 million e-commerce transactions per year
4. Level 4: Fewer than 20,000 e-commerce transactions per year, or a merchant that processes up to 1 million transactions per year on any acceptance channel

Reporting requirements for each level

Regardless of what level your business falls under, you still need to adhere to the twelve key PCI compliance requirements. The differences between the four levels of compliance fall under reporting requirements, which are as follows:

Level 1 businesses must:

• Complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
• Complete quarterly network scans by an Approved Scanning Vendor (ASV)
• Complete the Attestation of Compliance form

Level 2 businesses must:

• Complete an annual Self-Assessment Questionnaire (SAQ)
• Complete a quarterly network scan by an ASV
• Complete an Attestation of Compliance form

Level 3 businesses must:

• Conduct an Annual SAQ
• Complete a quarterly network scan by an ASV
• Complete an Attestation of Compliance form

Level 4 business must:

• Complete an annual SAQ
• Complete a quarterly network scan by an ASV
• Complete the Attestation of Compliance form

There are six main objectives of the PCI DSS that serve as the core framework for requirements that are developed.

For example, the first objective, “Build and Maintain a Secure Network,” is a central theme in the first two PCI key requirements, which are to instill firewalls to protect cardholder data and to create unique password protection. These requirements fulfill the objective of building and maintaining a secure network.

1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

Now that we know what the main objectives of the PCI DSS are, we better understand why the following requirements are critical.

1. Install and maintain a firewall configuration to protect cardholder data.
2. Protect stored cardholder data.
3. Encrypt transmission of cardholder data across open, public networks.
4. Restrict cardholder data access to a need-to-know basis only.
5. Access to cardholder data and network resources must be tracked and monitored.

Compliance and certification—while they sound similar, these terms mean very different things. Compliance means that your organization fully adheres to the PCI requirement standards. Certification, on the other hand, means that your organization has actually been certified to be compliant. This is granted by a comprehensive process that involves an intensive audit performed by a QSA.

So, while your business must always be PCI compliant and prove that its operations are within compliance standards, it’s not necessary to be PCI certified. Attaining PCI DSS certification has its benefits. Organizations gain peace of mind knowing that they are safeguarding personal data to the best of their ability. And while consumers aren’t thinking of PCI compliance when they shop, it certainly doesn’t hurt to have that certification on a business’s FAQ section as reassurance for their consumers on how payments are handled.

Even though PCI compliance is not a federal law, it still applies to merchants and payment card companies as a contractual agreement. For example, if a business accepts Visa and PayPal, they must be PCI DSS compliant because they have entered a contractual agreement with those two payment card companies.

Payment card companies have a lot at stake when it comes to cases of fraud or data breaches. The PCI SSC can issue fees for PCI noncompliance that range anywhere from $5,000 to $100,000 per month.

And of course, in the incident of fraud or a data breach, the financial losses can end up being significantly higher. Not only is there the cost of refunding or making retributions to the victims of the incident, but there will also be forensic audits and investigations that can seriously tap into your organization’s financial resources. And, if cases of fraud are rampant or if the data breach is large, then your business risks reputational damage. Will consumers trust shopping with you, or will they choose to shop at a competitor where they feel their private financial data is in safer, better hands?

Once you’ve successfully proven to be PCI compliant, the work does not stop there. Organizations need to continuously maintain compliance and keep up with any new nuances that the PCI DSS may undergo. We’ve seen more card companies, payment processing systems and even currencies (cryptocurrency) evolve over the past few years, and they will only continue to evolve. To that end, the PCI DSS will evolve with these changes and businesses need to keep up.

Testing and maintaining compliance is an ongoing endeavor that may involve:

• Virus scanning software running daily
• External penetration testing performed quarterly or every six months to ensure a secure network and environment
• Documenting all firewall policies and procedures.
• Documenting security policies and operational procedures.
• Maintaining an inventory of all hardware and software used.
• Reviewing all locations, systems and devices where cardholder data is transmitted to.
• Conducting employee training annually or bi-annually.
• Continuously checking the latest encryption vulnerabilities and updating yours as needed.
• Maintaining audit logs that track actions taken by personnel with administrative privileges.
• Creating and updating a current list of third-party service providers.
• Creating a data breach response plan in the case that cardholder data is compromised.

When it comes to testing and maintaining compliance, common themes are making sure systems are updated, staying up-to-date on industry vulnerabilities, documenting all relevant information, and keeping track of where all your data travels and lives. While these measures aren’t necessarily difficult in nature, they can certainly end up being time-consuming and eat into your employee’s hours that could be better spent making smart, strategic decisions. Many of these tasks can be automated and performed with greater accuracy with PCI compliance tools that can track where sensitive financial data lives in real-time.

Estimated costs involved with reaching PCI compliance

The amount your business will spend on PCI compliance varies. There are a lot of factors involved. For instance, the type of payment processors you choose may charge a PCI compliance fee. Many payment processors tend to roll the cost of compliance into your monthly fee or transaction fees, but some may have an added compliance fee.

The costs may also depend on your business size. Level 1 businesses are required to complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA). Level 4 businesses, on the other hand, don’t need to hire a QSA to be compliant. Fees for a QSA typically start around $10,000, so that alone has a big impact on what you can expect to spend annually on PCI compliance. Costs can vary as much from $1,000 to $50,000 annually, and sometimes even more.

The rules of PCI compliance are pretty straightforward—it’s the continuous maintenance that can be a difficult, time-consuming endeavor for CISOs and other security leads in your organization. One of the common struggles that security teams face is not having the full picture of the data landscape that they are dealing with.

This is where Spirion can make PCI compliance easier, with three important functions woven into one AI-driven solution. The Spirion Data Platform enables organizations with rapid sensitive data discovery, so your team has a real-time record of where all of your sensitive PCI data lives and who has access to it. This primes your team with a solid foundation, and makes it easy to set up automated, triggered workflows to act on issues quickly.