Some basic numbers from today’s payment environment:
- Global e-commerce losses from payment fraud hit $41 billion in 2022, up from the previous year.
- As of 2022, the cost of a data breach has hit an all-time high of $4.35 million and is expected to increase to $5 million by 2023.
These statistics are ample proof that the data protection tools used by issuers, acquirers, merchants, and PSPs aren’t keeping pace with the hacking and data theft technologies used by fraudsters. The massive shift to online payment methods compromised global payment security, forcing payment intermediaries to pay special attention to protecting their customers' sensitive data.
"In light of the ever-increasing level of payment fraud, what can be done to prevent it?", – the major card networks wondered. They came together and developed the Payment Card Industry Data Security Standard. Since then, any organisation accepting, processing, transmitting, or storing cardholders’ payment data should comply with the PCI DSS requirements.
Whether you're considering partnering with a payment provider, looking to launch your own card processing, or planning to start your journey as a PSP, it's time to learn the basics of PCI DSS compliance. Let us be your guides on this challenging subject.
What is PCI DSS?
The PCI DSS definition is as follows:
The Payment Card Industry Data Security Standard is a set of rules covering all aspects of payment security formed in 2004 by major credit card companies, namely Visa, Mastercard, Discover, American Express, and JCB. The main goal of PCI DSS is to prevent data theft and fraud associated with debit and credit card transactions.
Over 15 years of its existence, the PCI standard has repeatedly proven its effectiveness in reducing the riskiness of electronic transactions and preventing fraud. It's still considered the best way to maximise the protection of sensitive payment data at each stage of transaction processing. That’s why obtaining PCI DSS certification is a mandatory step for banks, PSPs, e-commerce businesses, and other institutions involved in the payment industry.
What are the PCI DSS requirements?
Since its inception, PCI DSS has gone through several iterations to keep up with changes in the network threat landscape. While the basic compliance rules have remained unchanged, new requirements and security measures are added periodically.
The current version 4.0 of PCI DSS was issued on 31 March 2022 to address emerging threats and technologies. The previous version (3.2.1) remains valid until March 2024.
Now the PCI standard consists of 6 'building blocks' that include 12 core requirements. Here's your PCI DSS compliance checklist:
Even though PCI DSS compliance is not part of any law, it's an internationally-used set of regulations that comes with significant penalties and costs for organisations that don’t follow the requirements. Plus, being out of compliance can lead to serious security incidents, so it’s better to comply with the PCI standard to avoid the risk of data breaches that could highly damage your brand.
PCI DSS compliance levels
The PCI DSS requirements can be applied in different ways depending on the type of company and the volume of transactions processed.
There are four levels of PCI DSS сompliance:
- Level 1 applies to merchants that process more than 6 million card transactions annually.
- Level 2 applies to merchants processing from 1 to 6 million transactions per year.
- Level 3 applies to merchants processing between 20 thousand and 1 million transactions per year.
- Level 4 applies to merchants that process up to 20 thousand transactions annually.
The higher the PCI DSS compliance level is, the more checks the merchant must pass. Specifically, Level 1 certification holders must undergo an internal audit conducted by a PCI Authorised Auditor once a year. Plus, they must submit a PCI scan by an Approved Scanning Vendor (ASV), an organisation that uses a set of data security services and tools to determine if a company is compliant with PCI DSS external scanning requirements.
Level 2-4 organisations must undergo an annual assessment using a Self-Assessment Questionnaire (SAQ). There are nine different SAQ types which apply variably to different organisations depending on how they process, handle, and store cardholder data. Additionally, a quarterly PCI scan may be required. Such audits help determine if the business is complying with the security requirements in good faith or has received PCI DSS certification just for show.
The cost of non-compliance
Failure to comply with PCI DSS entails not only significant financial losses but also reputational damage. Here's how non-compliance may affect your business.
- Fines and penalties: PCI DSS violation may result in fines and penalties imposed by card networks. The severity of the non-compliance and the number of violations can determine the fines imposed, which can range from $5,000 to $100,000, depending on the circumstances.
- Increased transaction fees: Non-compliant businesses may face further financial strain through increased transaction fees imposed by card brands. These additional charges can accumulate over time and directly impact your overall business profitability.
- Loss of reputation and customer trust: When a business fails to safeguard customer payment card data, it not only risks damaging its reputation but also undermines the trust customers place in the security of their financial information. This loss of trust can have far-reaching consequences, such as diminished customer loyalty and reduced sales.
- Legal costs: Your non-compliance with PCI DSS can potentially result in legal actions and lawsuits from affected customers or financial institutions. Legal costs can encompass a range of expenses, including fees paid to attorneys, settlements, and other legal fees.
- Remediation costs: In the event of non-compliance with PCI DSS, businesses are obligated to undertake remediation measures to address the identified issues and achieve compliance. Remediation costs can include implementing new security measures, upgrading infrastructure, conducting audits, and training staff. These costs can vary significantly depending on the complexity of the business's payment processing environment.
- Loss of business opportunities: Failure to comply with PCI DSS can result in the loss of valuable business opportunities. Numerous organisations, especially large enterprises and government entities, require their vendors and partners to be PCI DSS compliant. If a business fails to meet these requirements, it may be excluded from participating in lucrative contracts or partnerships.
Why is PCI DSS important?
Every reputable company understands the importance of safeguarding their customers' confidential information and therefore prioritises adherence to the technical and operational requirements established by PCI DSS. Moreover, the growing number of data breaches serves as a catalyst for payment intermediaries to continuously enhance existing payment security solutions and develop new ones, ensuring robust protection for sensitive data.
See how we protect your data👀
Nevertheless, companies often face significant challenges in achieving full compliance with PCI DSS requirements due to the extensive time, resources, and costs required to maintain a secure payment processing infrastructure. It's not uncommon for organisations to prioritise security measures only after experiencing a damaging data breach and suffering a blow to their reputation. This is the wrong approach.
How to achieve PCI DSS compliance?
The PCI DSS compliance process involves several steps. Here they are:
- Step 1: Determine your PCI DSS level by assessing your organisation's card transaction volume and identifying the appropriate compliance level.
- Step 2: Ensure that you meet all the standard requirements specific to your determined compliance level. This involves implementing necessary security measures, policies, and procedures.
- Step 3: Complete a relevant self-assessment questionnaire (SAQ) available on the official website of the PCI Security Standards Council. The SAQ assists in evaluating your organisation's compliance status and helps identify any areas that require improvement.
- Step 4: Maintain a proactive approach by regularly monitoring and conducting tests on your networks to ensure ongoing compliance. This includes performing vulnerability scans, penetration tests, and other assessments to identify and address any potential security vulnerabilities.
By diligently following these steps, you can establish and maintain PCI DSS compliance effectively.
It’s noteworthy that PCI compliance is not a one-off event but a continuous process of tracking operations, testing security systems and maintaining information security policy for your team. The PCI Security Standards Council has developed a generic PCI 3-step scheme to facilitate this process. This is how it looks:
Achieving PCI compliance can be a daunting task, especially for small and medium-sized businesses. Establishing a strong security infrastructure demands a significant investment of time and resources. However, this doesn't imply that the sensitive information of your customers will be left vulnerable to attacks. If you opt to host a payment page on your website and process payments Server-to-Server, then it becomes essential to comply with PCI DSS standards. In most other scenarios, partnering with a trusted payment intermediary that is already PCI DSS L1 compliant can be an excellent alternative. By doing so, businesses can offload the burden of PCI compliance while still providing their customers with a secure and hassle-free payment experience.
Corefy meets the strictest requirements of the highest PCI DSS level. We closely monitor each transaction to protect businesses and customers from possible identity theft and fraud. By entrusting processing your transactions to us, you eliminate the need to pursue PCI compliance because you already have a fully protected payment processing system at your disposal. Request a demo to make sure of our reliability!