PCI DSS Compliance is important, but what does it mean for your business? Are you doing enough to protect customer data, do your system tests meet the highest standard and is your self-assessment strong enough? We can answer all of your questions.

Here is the top guide offering the best insight into PCI DSS, including what level of compliance is necessary, what each business needs to do, how much it costs and so much more. If you’re ready, let’s go!

What are PCI Requirements & Compliance Levels?

Every business involved in payment card processing must submit to strict security standards. They need to do this in order to be PCI DSS compliant. The requirements are detailed in the table below.

Tasks PCI DSS Requirements
Build and maintain a secure network and system
  1. Install and maintain a firewall configuration to protect cardholder data.  
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open & public networks.
Maintain a vulnerability management program.
  1. Protect all systems against malware and regularly updated anti-virus software or programs.
  2. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need-to-know.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.
Regular monitor and test networks
  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.
Maintain an information security policy
  1. Maintain a policy that addresses information security for all personnel.

If a business struggles to apply these demands, a compensating control may be put in place to temporarily meet these demands. That said, it may not be possible to enforce this on every occasion.    

There are four levels of PCI DSS Compliance which are based on total annual transaction volume. We have detailed these in the table below.

PCI Compliance Level Annual Transaction Volume PCI Requirements
Level 1 >6 million per year Every year:

  • Compliance Report by Assessor or Internal Auditor.

Every quarter:

  • Conduct a quarterly network scan by Approved Scan Vendor.
Level 2 1 – 6 million per year Every year:

  • Self-Assessment Questionnaire. 
  • Attestation of Compliance Form.

Every quarter:

  • Conduct quarterly network scan by Approved Scan Vendor.
Level 3 20,000 – 1 million per year Every year:

  • Self-Assessment Questionnaire.
  • Attestation of Compliance Form.

Every quarter:

  • Conduct quarterly network scan by Approved Scan Vendor.
Level 4 <20,000 per year Every year:

  • Self-Assessment Questionnaire.
  • Attestation of Compliance Form.

Every quarter:

  • Conduct quarterly network scan by  Approved Scan Vendor.

Which businesses are affected?

A business that handles credit or debit card payments have to comply. The standard applies to information stored on and transactions carried out by: 

  • Point-of-sale devices.
  • Mobile devices, personal computers or servers.
  • Wireless hotspots.
  • Web shopping applications.
  • Paper-based storage systems.
  • The transmission of cardholder data to service providers.
  • In remote access connections.

In most cases, Merchant Account Providers will offer this as part of their service. 

How much does it cost? 

The cost of becoming PCI-DSS compliant can vary but depends on the activity being carried out. In general, a basic network vulnerability scan starts from £100, while a full Level 1 audit can cost £50,000. 

While the cost of compliance can be tricky for smaller businesses, the benefits quickly outweigh the expense.  Taking data security seriously helps a business build a positive reputation with its target audience. It can also increase the potential for both repeat and new business. The protection of financial information also goes towards the development of a strong relationship with financial institutions. 

Consequences of non-compliance?

Any breach or theft of cardholder data is a very serious situation. It can cause reputational damage, large fines and a reduction in sales. If the breach is intentional, the consequences include the following: 

  • Fines and penalties. 
  • Fraud and legal costs.
  • Higher compliance costs.
  • Loss of customer confidence.
  • Loss of ability to accept credit/debit cards.

To avoid all this damage, businesses can use the three-step security process outlined below.

  • PCI DSS Gap Analysis

Compares the requirements against merchants existing arrangements, identifying compliance gaps and creates a plan to fix them.

  • PCI DSS Remediation

Implementing the plan to close remaining compliance gaps.

  • PCI DSS Audit

Review of controls to ensure PCI-DSS compliance. 

Our Advice

Any business that accepts, stores, transmits or processes cardholder data, need to urgently confirm their compliance with PCI-DSS. If the required standards are not being met, that situation should be corrected without any delay. Further information can be found on this PCI Security Standards Council guide.