The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all organizations that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB)
PCI compliance is required to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
In short, PCI DSS is a set of regulations created by major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB. This scheme requires organizations to comply with 12 general data security requirements that every merchant needs to follow.
These are the 12 main PCI DSS requirements that merchants must meet to have PCI DSS Compliance
To build & maintain a secure network
- Install and maintain a firewall configuration to protect card-holder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protection of Card-holder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or program
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to card-holder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to card-holder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Risks that your organization runs by not having a PCI DSS compliance
Businesses that don’t process a lot of credit cards often wonder why they need to comply with a security standard like the PCI DSS.
Businesses that don’t process more than 20,000 credit card transactions per year are categorized as level 4 merchants in the Payment Card Industry (PCI) world. This level 4 has the lowest amount of compliance requirements, thus requiring the least amount of effort for compliance. However, according to Payment Card Industry data, this tier of merchants is also the most vulnerable to crime and cyber attacks. According to the PCI Security Standards Council, 71 percent of hackers attack small businesses and merchants with fewer than 100 employees (PCI, 2016). Beyond the risk of a data breach, contracts with an acquirer or payment processor will likely require your organization to be PCI compliant. This is true for every business that accepts even a single credit card for payment.
- Monetary fines
Non-compliance can lead to fines from payment processors. Fines range from $10 per month to $1,000 per month or more. Usually, this is in the payment processor’s statement as a “PCI non-compliance fee.”
- Forensic audits
Upon a data breach, an organization must provide their compliance documents to a forensic examiner. The examiner will determine if the data breach was a result of non-compliance or other security-related control failures. The cost of the forensic examiner is placed on the entity with the security breach. In the event an organization has no compliance documentation, the examiner is also required to perform an assessment of the entity controls to determine compliance status in addition to the forensic exam of the data breach.
- Payment brand restrictions
Payment brands can place restrictions on organizations such that no- card processing will be accepted by non-compliant merchants. Brands may also completely terminate service in the event an organization does not obtain compliance.
- Brand reputation
A data breach will significantly jeopardize brand reputation and customer loyalty. Organizations will be subject to public scrutiny and may lose customer loyalty due to poor controls over credit card information. According to a survey conducted by the National Cyber Security Alliance, of 1,015 small and medium businesses, 60 percent of those breached closed their doors within six months.
- Reactive compliance
Cost of compliance increases when expanding into new technologies. If you expand into new technologies without considering compliance, often re-engineering or new equipment is required to become compliant versus considering compliance prior to new technology implementations. For example, if re-engineering or new equipment has been implemented, card holder data may be stored in more than one location. This would broaden the scope of the card holder data environment which, in turn will increase costs to ensure compliance.
Benefits of having a PCI DSS Compliance
- Security improvement – decrease the risk of security breaches
A study conducted by Verizon stated that PCI compliant organizations are more likely to successfully resist a cardholder data breach significantly up to fifty percent.
This means the PCI DSS with 12 requirements are an adequate set of security controls to protect cardholder data.
- Reduced chances of card-holder data being compromised
Having PCI DSS compliance will make you feel confident that you have done the necessary thing that you should do to protect cardholder data. Your customers feel safe too, they believe that they provide their confidential data to a trusted company, that is you.
- Improved customer relationship
According to a study conducted by Quirk’s Marketing Research Review,it stated that 69% of consumers would be less inclined to do business with a breached organization. As an organization that complies with PCI DSS, you should be able to decrease the data breach significantly. This means you will have a better relationship with the customer. They will see you as a company that has a strong commitment to protect their data.
- Increase in profit
When your customers realize that their card details are safe with you due to PCI compliance, the word of mouth will only increase the number of your customers & ensure that all your loyal customer base will only continue to grow. In short, more customers, more transactions, more profit.
- Avoid hefty fines
If a cardholder data breach happens (and it is possible to happen) any involved entity will be investigated. If say a merchant involved and in the time of breaching, it didn’t comply with PCI then they will get a costly fine. The acquiring bank may have to pay a fine of $5,000 to $100,000 per month to the payment brands for PCI compliance violations. The banks will most likely pass this fine down to the merchant eventually. And as stated above, the implementation of PCI requirements properly will decrease the data breaching. This is a real benefit for the company because its possibility of receiving fine will be decreased as well.
- Brand Image building
With a strong commitment that your company has after having PCI compliance, the image of your brand will stick out in a very appropriate way.
- Sustain Your Business
Any merchant even with one transaction of credit cards has to comply with the standard if it doesn’t comply they will be at high risk. If you are not PCI DSS compliant, you are subject to fines and you may also face lawsuits because of failing to protect cardholder data. You will lose money and your reputation is damaged. This may put your business in danger. So, to be PCI compliant is a must for any organization that store, process and transmit cardholder data in order to sustain their existence in this business.
In compliment to the above, we Easebuzz, are PCI DSS compliant. Our merchants who use our payment gateway to accept online payments from their customers are ensured about the security that is provided to customer’s sensitive card related data. We are also Comodo SSL certified, that to protects customer transactions by encrypting customer data.