Security online has never been more important.
Fraud and hacking schemes are becoming more advanced and sophisticated than ever before, so businesses must protect themselves and their customers wherever possible.
For businesses, that’s where PCI compliance comes in.
PCI compliance stands for Payment Card Industry compliance. The major credit card companies (including Visa, Mastercard, American Express, Discover, and JCB International) have established guidelines and standards to ensure that businesses that accept credit card payments are securely protecting their customers’ sensitive information.
To find out more, keep reading or get in touch with the payments experts at Acquired.com.
What is PCI compliance?
For businesses to accept credit card payments from these major companies, they have to be compliant with PCI standards and security systems. PCI security policy covers a range of different areas, including the security of payment processing systems, how customer data is stored, how access to cardholder data is protected, and regular monitoring to identify security vulnerabilities in their systems.
The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2004 by the major players in the credit card sector to establish security parameters for businesses that accept credit card payments. The first version of the Payment Card Industry Data Security Standard (PCI DSS) was released in 2005, and the standards have been updated several times since then to reflect the changing challenges associated with payment card transactions. PCI compliance is now mandatory for businesses that accept credit card payments, and failure to comply can result in fines and legal action. The PCI SSC continues to update its standards regularly to help businesses stay ahead of emerging security threats.
Why is PCI compliance important?
PCI compliance is so important in today’s world as it helps to ensure the security of customer data wherever it is stored. Credit card information is highly sensitive and valuable, and its unauthorised access can lead to identity theft and financial fraud for customers. Cardholder data theft is becoming not just more common, but more sophisticated over time, meaning customers need to be confident that their sensitive credit card data is being stored securely at all times.
In today’s digital age, customers expect businesses to take the protection of their personal information seriously, and failure to do so can result in a loss of business, not to mention the cost of fines, investigation costs, legal fees, and damage control for businesses.
The different levels of PCI compliance
There are four different levels of PCI compliance, with requirements tailored to different types of businesses with differing levels of risk. The key factor in deciding which level of PCI compliance a business needs is usually how many transactions they process every year (though there are exceptions, particularly for level 1 organisations).
Level 1 organisations are subject to the most stringent PCI requirements. Level 1 organisations are companies that process more than 2.5 million American Express transactions or more than 6 million Visa/MasterCard transactions in a 12-month period. A company may also be categorised as level 1 if they have experienced a data breach in the past (regardless of the business size, turnover, number of transactions, or industry), or if any of the card networks deem them to be high-risk and wants them to be categorised as such.
Level 1 companies are required to carry out the following in order to be registered as compliant:
- A Report on Compliance (ROC), carried out by an internal auditor (and signed off by an officer of the company) or a Qualified Security Assessor (QSA). This is sometimes known as a Level 1 onsite assessment (as the assessor requires physical access to a company’s premises) and details an organisation’s security processes, cardholder data environment, internal systems against malware, and data protection policies.
- A quarterly network scan signed off by an Approved Scan Vendor (ASV). ASVs are companies that have been approved and certified by the PCI SSC and help businesses carry out many of the functions required for PCI compliance.
- An Attestation of Compliance (AOC) for Onsite Assessments. This document is essentially an official declaration on behalf of the company that they have taken all the appropriate measures to be considered PCI compliant.
Level 2 companies are those that process between 1 million and 6 million transactions over the course of an average 12-month period (both online and in-person). In order to meet official PCI security standards, Level 2 companies are required to:
- Carry out an annual PCI DSS Self Assessment Questionnaire (SAQ). There are nine different types of SAQ, targeted towards different types of businesses.
- Carry out a quarterly network scan with an Approved Scan Vendor (as above).
- Submit an Attestation of Compliance (as above).
Organisations designated as levels 3 and 4 are subject to the same requirements as level 2 organisations. Level 3 companies are those that process between 20,000 and 1 million online transactions annually, or less than 1 million total transactions annually, while level 4 companies process fewer than 20,000 transactions online or 1 million transactions total annually.
To ensure PCI compliance at any level, all businesses that accept credit card and debit card transactions must undergo these regular assessments and audits by qualified security assessors. These assessments determine if the business is meeting all the required standards and guidelines of the PCI security standards council. If a business fails an assessment, they will need to take corrective action to address any vulnerabilities and meet their compliance obligations, or risk fines and legal action.
What are the consequences of non-compliance?
PCI non-compliance is incredibly serious and can make life difficult for businesses.
When a business does not meet the key requirements of PCI, they are willingly and knowingly putting its customer data at risk. A lack of cardholder data security can have massive consequences for customers, including loss of income, fraud, and identity theft, all of which can have a huge effect on individual livelihoods and mental health.
This is why PCI compliance is so important, and why the penalties that come when the applicable requirements aren’t met can be so severe for businesses:
- Failure to comply may lead to fines imposed by the acquiring bank or card network. The amount of the fine can vary from a few thousand pounds to hundreds of thousands of pounds, depending on the seriousness of the infraction. If fines need to be issued more than once, these fines will continue to rise for repeated violations. You’ll also have to pay a small amount ongoing for every month the business remains non-compliant.
- Aside from fines, there are several other financial consequences associated with PCI non-compliance. Breaching the regulations can make businesses liable for fraud charges and credit card replacement costs. Your company’s ability to accept credit card payments (both in-person and online) may also be suspended by card networks, making it almost impossible to continue to do business.
- When banks are notified a business doesn’t meet PCI compliance requirements they immediately become more of a risk. If your business is not meeting regulations, banks may increase your transaction fees, or potentially terminate your business relationship. Banks are also considerably less likely to take on new business from an organisation in breach of PCI guidelines.
- Failure to comply may also lead to legal consequences, which can be initiated by the card networks, customers, or regulatory bodies. Legal action can result in additional fines, legal fees, and damage to the company’s reputation.
- Non-compliance can do serious damage to an organisation’s reputation, as customers may lose trust in the business’s ability to keep their information safe.
- Even if a business isn’t “caught out” for non-compliance, not working in line with PCI guidelines increases the risk of data breaches and cyber attacks for your business, which can lead to financial losses, legal issues, and reputational damage.
How Acquired.com can help you manage your PCI compliance
At Acquired.com, we take the security of our clients and their customer data seriously. We work closely with you to ensure efficient and secure transmission of cardholder data to make payments simple for users, while utilising secure systems in line with PCI compliance guidelines. As a payment gateway for card processing, we have a strong understanding of the security requirements of major card brands and the levels of protection required for different businesses.
While PCI compliance is the responsibility of businesses, not third parties in the payments industry, the team at Acquired.com can help our clients when it comes to security controls. Businesses can submit their PCI compliance documents through the Acquired.com platform, and we’ll provide the correct self-assessment questionnaire (SAQ) to businesses requiring level 2 compliance or less.
To learn more about how we can help businesses with the security of credit card payments online, or to get started with the Acquired.com platform, please don’t hesitate to get in touch with our friendly team.