PCI DSS Compliance is important, but what does it mean for your business? Are you doing enough to protect customer data, do your system tests meet the highest standard and is your self-assessment strong enough? We can answer all of your questions.
Here is the top guide offering the best insight into PCI DSS, including what level of compliance is necessary, what each business needs to do, how much it costs and so much more. If you’re ready, let’s go!
What are PCI Requirements & Compliance Levels?
Every business involved in payment card processing must submit to strict security standards. They need to do this in order to be PCI DSS compliant. The requirements are detailed in the table below.
|Tasks||PCI DSS Requirements|
|Build and maintain a secure network and system||
|Protect cardholder data||
|Maintain a vulnerability management program.||
|Implement Strong Access Control Measures||
|Regular monitor and test networks||
|Maintain an information security policy||
If a business struggles to apply these demands, a compensating control may be put in place to temporarily meet these demands. That said, it may not be possible to enforce this on every occasion.
There are four levels of PCI DSS Compliance which are based on total annual transaction volume. We have detailed these in the table below.
|PCI Compliance Level||Annual Transaction Volume||PCI Requirements|
|Level 1||>6 million per year||Every year:
|Level 2||1 – 6 million per year||Every year:
|Level 3||20,000 – 1 million per year||Every year:
|Level 4||<20,000 per year||Every year:
Which businesses are affected?
A business that handles credit or debit card payments have to comply. The standard applies to information stored on and transactions carried out by:
- Point-of-sale devices.
- Mobile devices, personal computers or servers.
- Wireless hotspots.
- Web shopping applications.
- Paper-based storage systems.
- The transmission of cardholder data to service providers.
- In remote access connections.
In most cases, Merchant Account Providers will offer this as part of their service.
How much does it cost?
The cost of becoming PCI-DSS compliant can vary but depends on the activity being carried out. In general, a basic network vulnerability scan starts from £100, while a full Level 1 audit can cost £50,000.
While the cost of compliance can be tricky for smaller businesses, the benefits quickly outweigh the expense. Taking data security seriously helps a business build a positive reputation with its target audience. It can also increase the potential for both repeat and new business. The protection of financial information also goes towards the development of a strong relationship with financial institutions.
Consequences of non-compliance?
Any breach or theft of cardholder data is a very serious situation. It can cause reputational damage, large fines and a reduction in sales. If the breach is intentional, the consequences include the following:
- Fines and penalties.
- Fraud and legal costs.
- Higher compliance costs.
- Loss of customer confidence.
- Loss of ability to accept credit/debit cards.
To avoid all this damage, businesses can use the three-step security process outlined below.
- PCI DSS Gap Analysis
Compares the requirements against merchants existing arrangements, identifying compliance gaps and creates a plan to fix them.
- PCI DSS Remediation
Implementing the plan to close remaining compliance gaps.
- PCI DSS Audit
Review of controls to ensure PCI-DSS compliance.
Any business that accepts, stores, transmits or processes cardholder data, need to urgently confirm their compliance with PCI-DSS. If the required standards are not being met, that situation should be corrected without any delay. Further information can be found on this PCI Security Standards Council guide.