PCI DSS stands for the Payment Card Industry Data Security Standard, a document developed in 2005 by the Payment Card Industry Security Standards Council to ensure the security of card payments. The Council is represented by the world's leading card networks: Visa, Mastercard, American Express, JCB, and Discover. Since 2012, PCI DSS has been mandatory for all businesses dealing with bank cards.
The standard is a complex system of requirements aimed at protecting the cardholders' data when making payments. Certification for compliance with these requirements indicates that the company cares about the security of its customers' personal information.
Any company involved in the card payments processing must meet the PCI DSS requirements. Namely:
Both large organisations and small companies are required to undergo certification.
The list of key requirements consists of 12 points addressing six main aspects: network security, customer data protection, vulnerability management, access control, testing and monitoring, and security policies.
Here's a gist of the PCI DSS requirements:
PCI DSS compliance means meeting all the requirements of this regulation we've just talked about.
To prove their compliance with the standard, companies undergo certification. The procedure depends on the company's card transaction volume. The ones with processing up to 20K card transactions per year should fill out self-assessment questionnaires (SAQs) and Attestation of Compliance form, as well as regularly perform network scans by an approved vendor. Companies with larger volumes are also obliged to fulfil these requirements, but it is not enough for compliance. An additional mandatory step for them is passing an audit by an independent qualified security assessor (QSA), who determines if the company conforms to the standard.
The card transaction volume defines the level of compliance a company can achieve. Level 1 is the strictest one, applies to companies with a yearly transaction volume of more than 6M. Level 2 is for companies processing 1-6M card transactions per year, level 3 — 20K-1M, and level 4 — up to 20K.
The availability of the PCI DSS compliance certificate proves the company's serious approach to security and clients' data protection. It is perceived as a quality mark that indicates the reliability and trustworthiness of such a business.
In case of violation of PCI standard, the company will end up in a complicated situation. For example, their bank can terminate their accounts. Another issue is that Mastercard requires businesses of any transaction volumes to meet the requirements of Level 1 if they've previously compromised cardholders' data. Moreover, there are penalties for non-compliance, ranging from $5,000 to $100,000 per month.
Check out our quick guide to PCI DSS compliance for more handy information on this standard.
Corefy is a PCI DSS Level 1 certified payment orchestration platform. We annually undergo an unbiased assessment by the QSA, who validates our development, infrastructure, management, support, operations, and in-scope services.
The fact that we continuously ensure the security and compliance of our platform relieves our clients from many hassles. Only those of them who want to host a payment page on their side and work Server-to-Server should pass the certification. In other cases, there's no need for our clients to be PCI DSS compliant.