What is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard, a document developed in 2005 by the Payment Card Industry Security Standards Council to ensure the security of card payments. The Council is represented by the world's leading card networks: Visa, Mastercard, American Express, JCB, and Discover. Since 2012, PCI DSS has been mandatory for all businesses dealing with bank cards.
The standard is a complex system of requirements aimed at protecting the cardholders' data when making payments. Certification for compliance with these requirements indicates that the company cares about the security of its customers' personal information.
To whom the regulation applies?
Any company involved in the card payments processing must meet the PCI DSS requirements. Namely:
- retail stores;
- payment service providers;
- banking institutions, microfinance organisations;
- any other company or organisation dealing with card payments.
Both large organisations and small companies are required to undergo certification.
What are the PCI DSS requirements?
The list of key requirements consists of 12 points addressing six main aspects: network security, customer data protection, vulnerability management, access control, testing and monitoring, and security policies.
Here's a gist of the PCI DSS requirements:
- Build and maintain a secure network by installing and maintaining a firewall configuration and avoiding default passwords or other predefined security settings.
- Protect cardholders' financial information and other data with efficient encryption protocols and ensure safe data storage.
- Handle vulnerabilities with the help of scanning tools, security programs and applications.
- Implement strict access control measures both physically and digitally, ensuring that only a need-to-know group of employees has access to customers' data.
- Continuously monitor and test the network for threats.
- Develop a security policy that adheres to information security and data privacy principles.
What is PCI DSS compliance?
PCI DSS compliance means meeting all the requirements of this regulation we've just talked about.
To prove their compliance with the standard, companies undergo certification. The procedure depends on the company's card transaction volume. The ones with processing up to 20K card transactions per year should fill out self-assessment questionnaires (SAQs) and Attestation of Compliance form, as well as regularly perform network scans by an approved vendor. Companies with larger volumes are also obliged to fulfil these requirements, but it is not enough for compliance. An additional mandatory step for them is passing an audit by an independent qualified security assessor (QSA), who determines if the company conforms to the standard.
The card transaction volume defines the level of compliance a company can achieve. Level 1 is the strictest one, applies to companies with a yearly transaction volume of more than 6M. Level 2 is for companies processing 1-6M card transactions per year, level 3 — 20K-1M, and level 4 — up to 20K.
The availability of the PCI DSS compliance certificate proves the company's serious approach to security and clients' data protection. It is perceived as a quality mark that indicates the reliability and trustworthiness of such a business.
In case of violation of PCI standard, the company will end up in a complicated situation. For example, their bank can terminate their accounts. Another issue is that Mastercard requires businesses of any transaction volumes to meet the requirements of Level 1 if they've previously compromised cardholders' data. Moreover, there are penalties for non-compliance, ranging from $5,000 to $100,000 per month.
Check out our quick guide to PCI DSS compliance for more handy information on this standard.
Is Corefy PCI DSS certified?
Corefy is a PCI DSS Level 1 certified payment orchestration platform. We annually undergo an unbiased assessment by the QSA, who validates our development, infrastructure, management, support, operations, and in-scope services.
The fact that we continuously ensure the security and compliance of our platform relieves our clients from many hassles. Only those of them who want to host a payment page on their side and work Server-to-Server should pass the certification. In other cases, there's no need for our clients to be PCI DSS compliant.
Ready to boost your business to the next level?
Get in touch with us and we will try to provide you with the most relevant offer.