The explosive growth of e-commerce has substantially changed our payment behaviour, bringing the convenience of instant payments to our lives. But along with the benefits that digital transactions brought, there are some downsides as well. One of the biggest challenges for payment systems and merchants around the world is fraud. The amount of financial losses from e-commerce fraud continues to break records, and fraudsters keep developing more sophisticated schemes to take over people’s card data.
Realising the magnitude of the problem, the largest card networks partnered to develop the Payment Card Industry Data Security Standard — a set of security measures that provide the complete protection of sensitive data engaged in financial transactions. Since then, any organisation accepting, processing, transmitting, or storing cardholders’ payment information should comply with the PCI DSS requirements.
If you're planning to cooperate with a payment intermediary or want to start your journey as a PSP, this article will provide you with everything you need to know about PCI DSS compliance and its importance for processing payments. Get ready for tons of helpful information.
What is PCI DSS compliance?
Let’s begin with some basic numbers from today’s payment environment.
- By the end of 2020, the incidence of identity theft through credit card fraud had increased by 44.6%.
- The losses from payment fraud worldwide reached $33.59 billion in 2021.
These statistics are ample proof that the data protection tools used by issuers, acquirers, merchants, and PSPs aren’t keeping pace with the hacking and data theft technologies used by fraudsters. The massive shift to online payment methods compromised global payment security, forcing payment intermediaries to pay special attention to protecting their customers’ sensitive data.
One of the most efficient ways to protect cardholders’ data and prevent its unauthorised use is PCI DSS compliance.
The Payment Card Industry Data Security Standard is a set of rules covering all aspects of payment security formed in 2004 by major credit card companies, namely Visa, Mastercard, Discover, American Express and JCB. The main goal of PCI DSS is to prevent data theft and fraud associated with debit and credit card transactions.
Over 15 years of its existence, the PCI standard has repeatedly proven its effectiveness in reducing the riskiness of electronic transactions and preventing fraud. It is still considered the best way to maximise the protection of sensitive payment data at each stage of transaction processing. That’s why obtaining PCI DSS compliance is a mandatory step for banks, PSPs, e-commerce businesses, and other institutions involved in the payment industry.
What are the PCI DSS compliance requirements?
Since its inception, PCI DSS has gone through several iterations to keep up with changes in the network threat landscape. While the basic PCI DSS compliance goals remain unchanged, new requirements are added periodically. Now the PCI standard consists of 6 “building blocks” that include 12 core requirements. Here's your PCI DSS compliance checklist:
Even though PCI DSS compliance is not part of any law, it's an internationally-used set of regulations that comes with significant penalties and costs for organisations that don’t follow the requirements. Thus, if a company is found not to comply with PCI DSS requirements in the event of an annual audit, card brands can impose fines, withdraw services, or even suspend their accounts. Plus, being out of PCI DSS compliance can lead to serious security incidents.
PCI DSS compliance levels
The PCI DSS requirements can be applied in different ways depending on the type of company and the volume of transactions processed.
There are four levels of PCI DSS сompliance:
- Level 1 applies to merchants that process more than 6 million card transactions annually.
- Level 2 applies to merchants processing from 1 to 6 million transactions per year.
- Level 3 applies to merchants processing between 20 thousand and 1 million transactions per year.
- Level 4 applies to merchants that process up to 20 thousand transactions annually.
The higher the PCI DSS compliance level is, the more checks you must pass. Specifically, Level 1 certification holders must undergo an internal audit conducted by a PCI Authorised Auditor once a year. Plus, they must submit a PCI scan by an Approved Scanning Vendor (ASV) once a quarter. Other levels need to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required. Such audits help determine if the business is complying with the security requirements in good faith or has received a PCI DSS certificate just for show. In case of violations, the company will have to pay fines ranging from $5,000 to $100,000 per month.
Why PCI DSS compliance is important
Every company that values their reputation will adhere to all technical and operational requirements set by PCI DSS to ensure the maximum security of their consumers’ confidential information. After all, cardholders' data protection is at the heart of all the PCI DSS compliance goals. Plus, the vast number of data breaches stimulates payment intermediaries to develop new payment security solutions and improve existing ones.
However, it’s quite difficult for companies to fully comply with PCI DSS requirements because maintaining a secure payment infrastructure requires a lot of time, resources, and costs. Many organisations start thinking about security only when a data breach incident has already occurred, and a reputation blow has already been dealt. This is the wrong approach.
How to achieve PCI DSS compliance
The PCI DSS compliance process involves several steps. Here they are:
- Step 1: determine your PCI DSS level.
- Step 2: make sure you meet all the standard requirements for your level.
- Step 3: complete a relevant self-assessment questionnaire (SAQ) found on the PCI Security Standards Council website.
- Step 4: regularly monitor and test your networks for compliance.
PCI compliance is not a one-off event but a continuous process of tracking operations, testing security systems and maintaining information security policy for your team. The PCI Security Standards Council has developed a generic 3-step scheme to facilitate this process. This is how it looks:
The road to PCI DSS compliance can be technically challenging and time-consuming for medium-sized and small businesses because a robust security infrastructure requires a lot of investment and effort. But this does not mean the sensitive data of their customers will be left without proper protection. Your company needs to be PCI DSS compliant only if you decide to host a payment page on your side and work Server-to-Server. In other cases, partnering with a trusted PCI DSS L1 compliant payment intermediary is a great solution.
Corefy meets the strictest requirements of the highest PCI DSS level. We closely monitor each transaction to protect businesses and customers from possible identity theft and fraud. By entrusting processing your transactions to us, you eliminate the need to pursue PCI DSS compliance because you already have a fully protected payment processing system at your disposal. Request a demo to make sure of our reliability!