Some basic numbers from today’s payment environment:
- Global e-commerce losses from payment fraud hit $20 billion in 2021, up 14% from 2020.
- The average cost of a data breach is $3.86 million.
These statistics are ample proof that the data protection tools used by issuers, acquirers, merchants, and PSPs aren’t keeping pace with the hacking and data theft technologies used by fraudsters. The massive shift to online payment methods compromised global payment security, forcing payment intermediaries to pay special attention to protecting their customers' sensitive data.
"In light of the ever-increasing level of payment fraud, what can be done to prevent it?", – the major card networks wondered. They came together and developed the Payment Card Industry Data Security Standard. Since then, any organisation accepting, processing, transmission, or storing cardholders’ payment data should comply with the PCI DSS requirements.
Whether you're considering partnering with a payment provider, looking to launch your own card processing, or planning to start your journey as a PSP, it's time to learn the basics of PCI DSS compliance. Let us be your guides on this challenging subject.
What is PCI DSS?
The PCI DSS definition is as follows:
The Payment Card Industry Data Security Standard is a set of rules covering all aspects of payment security formed in 2004 by major credit card companies, namely Visa, Mastercard, Discover, American Express and JCB. The main goal of PCI DSS is to prevent data theft and fraud associated with debit and credit card transactions.
Over 15 years of its existence, the PCI standard has repeatedly proven its effectiveness in reducing the riskiness of electronic transactions and preventing fraud. It is still considered the best way to maximise the protection of sensitive payment data at each stage of transaction processing. That’s why obtaining PCI DSS certification is a mandatory step for banks, PSPs, e-commerce businesses, and other institutions involved in the payment industry.
What are the PCI DSS compliance requirements?
Since its inception, PCI DSS has gone through several iterations to keep up with changes in the network threat landscape. While the basic compliance rules have remained unchanged, new requirements are added periodically. Now the PCI standard consists of 6 “building blocks” that include 12 core requirements. Here's your PCI DSS compliance checklist:
💡FACT: The current version 4.0 of PCI DSS was issued on 31 March 2022 to adress emerging treats and technologies. The previous version (3.2.1) remains valid until March 2024.
Even though PCI DSS compliance is not part of any law, it's an internationally-used set of regulations that comes with significant penalties and costs for organisations that don’t follow the requirements. Plus, being out of compliance can lead to serious security incidents, so it’s better to comply with the PCI standard to avoid the risk of data breaches that could highly damage your brand.
PCI DSS compliance levels
The PCI DSS requirements can be applied in different ways depending on the type of company and the volume of transactions processed.
There are four levels of PCI DSS сompliance:
- Level 1 applies to merchants that process more than 6 million card transactions annually.
- Level 2 applies to merchants processing from 1 to 6 million transactions per year.
- Level 3 applies to merchants processing between 20 thousand and 1 million transactions per year.
- Level 4 applies to merchants that process up to 20 thousand transactions annually.
The higher the PCI DSS compliance level is, the more checks the merchant must pass. Specifically, Level 1 certification holders must undergo an internal audit conducted by a PCI Authorised Auditor once a year. Plus, they must submit a PCI scan by an Approved Scanning Vendor (ASV) - an organisation that uses a set of data security services and tools to determine if a company is compliant with PCI DSS external scanning requirements.
Level 2-4 organisations must undergo an annual assessment using a Self-Assessment Questionnaire (SAQ). There are nine different SAQ types which apply variably to different organisations depending on how they process, handle, and store cardholder data. Additionally, a quarterly PCI scan may be required.
Such audits help determine if the business is complying with the security requirements in good faith or has received PCI DSS certification just for show. Violating companies will have to pay fines ranging from $5,000 to $100,000 per month.
Why PCI DSS compliance is important
Every company that values their reputation will adhere to all technical and operational requirements set by PCI DSS to ensure the maximum security of their consumers’ confidential information. After all, cardholders' data protection is at the heart of all the PCI DSS compliance goals. Plus, the vast number of data breaches stimulates payment intermediaries to develop new payment security solutions and improve existing ones.
However, it’s quite difficult for companies to fully comply with PCI DSS requirements because maintaining a secure payment infrastructure requires a lot of time, resources, and costs. Many organisations start thinking about security only when a data breach incident has already occurred, and a reputation blow has already been dealt. This is the wrong approach.
How to achieve PCI DSS compliance
The PCI DSS compliance process involves several steps. Here they are:
- Step 1: determine your PCI DSS level.
- Step 2: make sure you meet all the standard requirements for your level.
- Step 3: complete a relevant self-assessment questionnaire (SAQ) found on the PCI Security Standards Council website.
- Step 4: regularly monitor and test your networks for compliance.
It’s noteworthy that PCI compliance is not a one-off event but a continuous process of tracking operations, testing security systems and maintaining information security policy for your team. The PCI Security Standards Council has developed a generic PCI 3-step scheme to facilitate this process. This is how it looks:
The road to PCI compliance can be technically challenging and time-consuming for medium-sized and small businesses a robust security infrastructure requires a lot of investment and effort. But this does not mean the sensitive data of their customers will be left without proper protection. Your company needs to be PCI DSS compliant only if you decide to host a payment page on your side and work Server-to-Server. In other cases, partnering with a trusted PCI DSS L1 compliant payment intermediary is a great solution.
Corefy meets the strictest requirements of the highest PCI DSS level. We closely monitor each transaction to protect businesses and customers from possible identity theft and fraud. By entrusting processing your transactions to us, you eliminate the need to pursue PCI compliance because you already have a fully protected payment processing system at your disposal. Request a demo to make sure of our reliability!