What is PCI Compliance? Requirements, Benefits, Risks

Alexis Damen | October 5, 2020 | Updated: May 31, 2023

In 2006 major credit card brands, American Express, Discover, JCB International, Mastercard, and Visa Inc founded the PCI Security Standards Council. A set of requirements were launched to regulate security for companies that process payment cards.

The regulations are known as the Payment Card Industry Data Security Standard (PCI DSS), and they’re designed to make sure all companies that process, store, or transmit credit card information keep a secure environment.

Read on to learn all about PCI compliance, what it means, how it protects customers and businesses, and how to make sure your business is PCI compliant.

What is PCI compliance?

PCI compliance makes sure consumers have basic protection when businesses store, process, or transmit cardholder data or sensitive authentication data. The PCI DSS regulations are an international security standard put in place to help reduce fraud and data breaches across every level of the payments system. If your business accepts or processes payments, PCI compliance applies to you.

PCI compliance is broken down into three main areas:

1. Securely collecting and transmitting sensitive credit card data.

2. Using the 12 PCI compliance security domains listed below, including encryption, continuous monitoring, and keeping the most up-to-date antivirus software.

3. Validating necessary security controls annually. This can include external vulnerability scanning services, third-party audits, forms, and questionnaires.

📚Further reading: What is Credit Card Processing and How Does it Work?

6 PCI compliance standards to meet

When your business is PCI compliant it means you agree to uphold the security standards outlined by the PCI DSS to secure cardholder data. There are specific requirements (sometimes referred to as principles of compliance) that your company must meet to be considered PCI compliant. Let’s review them:

1. Build and maintain a secure network

To build a secure network that protects cardholder data, you need to install and maintain a firewall. You also need a configuration policy and a test procedure. Use secure passwords that your company creates rather than the pre-set passwords supplied by vendor software.

2. Protect cardholders’ data

You only need to meet this goal if your company stores cardholders’ data. If you do store cardholder data, you need several layers of physical and virtual security to protect it.

📚Further reading: What is Tokenization? And its Benefits for E-commerce

3. Have strong access control measures

The fewer people who come in contact with cardholder data, the better. Limiting personnel access to cardholder data helps improve security measures. You need a unique login for every person who accesses computers with secure passwords for each user. You should also physically limit access to places where your company stores sensitive information.

4. Maintain a policy of information security

Your information security policy needs to address risk analysis processes and annual reviews, operational security procedures, and acceptable uses of technology.

5. Have a program that manages vulnerability

Data becomes vulnerable without the proper software updates, particularly antivirus software. New security threats are created every day so it’s critical to have everything updated for PCI compliance.

6. Monitor and test your systems regularly

Security is only good if you keep up with it. Regularly monitoring and testing systems helps you keep cardholder data safe and maintain compliance.

📚Further reading: How to Accept Payments Online: 6 Step Guide

12 Requirements of PCI compliance

In order to be PCI DSS compliant you have to meet the following 12 requirements.

Protect cardholder data by installing and maintaining a firewall. One of the primary ways criminals try to steal cardholder data is online. That’s why maintaining a firewall configuration is one of the core goals of PCI DSS. You need to have firewall and router standards and test equipment security every time you update software or change out the hardware. Review your configuration rules twice a year and restrict access from all untrusted sources, unless you have a case where the communication protocol is needed to process a card. If any employees can access the network through mobile devices or computers, make sure their devices have the proper firewall software.
Change vendor-supplied default passwords. You need to change all passwords to firewalls, routers, and other hardware and software as soon as it’s installed. Keeping the vendor-supplied default passwords, or having weak passwords, opens your business up to a data breach.
If your company stores cardholder data, protect it. If your business stores cardholder data, you’re required to protect that data. Never store cardholder data unless it’s required for legal, regulatory, or business needs. If you do need to store data for any of those reasons, limit storage time and purge data at least once per quarter. Never store sensitive data, even if it’s encrypted, longer than the amount of time it takes to process a transaction.
When you send data across open, public networks, always encrypt it. Moving data across a public network gives criminals a chance to access it. Always encrypt the data before you transmit it and decrypt it upon receipt to decrease the likelihood of criminals getting usable data. You will need strong cryptography and security protocols to meet this requirement.
Use the most recent updated versions of antivirus software. Create a vulnerability management program by using updated antivirus software. Keep all software on your system updated to eliminate any security holes. Your antivirus mechanisms need to always be active, generate auditable logs, and use the latest dictionaries to ensure your compliance.
Maintain secure applications and systems. Another part of your vulnerability management program includes keeping other software secure. Install security patches for software as soon as it’s available. Merchants should be informed about these patches right away and be able to implement them easily. You should also have the capability to discover and rank new vulnerabilities.
Implement need-to-know restrictions to cardholder data. A major component of PCI DSS is implementing strong access control measures. Criminals may try to access cardholder data, but unauthorized people or organizations may also ask for access to sensitive data that they don’t need for the current task. Strong access control assesses not only who is requesting data, but also the specific circumstances they are requesting it for. The system then needs to be able to respond accordingly by only approving requests for data access, needed to complete a specific task.
Each person on your team with computer access needs a unique ID. Unique IDs for each person with computer access let you know every time someone in the organization accesses cardholder data. You can trace the activity and recognize unauthorized access. To allow remote access, you must implement two-factor authorization. This does not mean two passwords. Instead, use technologies like a fingerprint scanner and email or SMS confirmation, to use a token as one factor and a password as a second.
Implement access restrictions to cardholder data. You need to ensure data is safe within the physical confines of the business as well. Limit physical access to sensitive data. Security personnel needs to enforce strict rules about who is authorized to access physically secured data and keep logs of who accesses information. You will also need to physically destroy data in the shortest amount of time possible.
Monitor and track access to cardholder data and network resources. There is cardholder data on both wireless and physical networks. Vulnerabilities in either of these can make data easier for criminals to access. You need to monitor and test your networks regularly to mitigate these weaknesses and minimize the opportunities for a data breach.
Test security processes and systems regularly. A new code introduced into the system can open it up to vulnerabilities. That’s why it’s important to review security processes and test systems regularly and monitor files.
Have a policy that addresses information security across all your personnel. It’s not enough to just create a solid security policy. You need to maintain it, publish it, and ensure your staff is up to speed on security measures.

Is PCI compliance mandatory?

PCI compliance is a complex process and may leave many business owners wondering if they really need it. PCI compliance isn’t mandatory by law, however, it can be considered mandatory by court precedent. So the short answer is, if you accept credit cards in your business, your payment gateway needs to be PCI compliant.

📚Further reading: Payment Gateway vs Payment Processor

Benefits of PCI compliance

PCI compliance protects your business and your customers’ data. Data breaches cost companies millions of dollars each year. According to a study by Data Intelligence, the average data breach in 2022 cost companies $4.35 million.

As well as the cost of liability for damages, insurance costs, and implementing new procedures, you have the cost of your brand image and reputation, which hurts future sales. If customers can’t trust you with their data, they will buy somewhere else.

Risks of non-compliance

Trying to skirt PCI compliance could cost you a lot more than implementing security to be compliant. Failing to be compliant with PCI regulations puts your customers and your business at risk. You’re vulnerable to data breaches, loss of profits, and a damaged reputation with your customers.

Additionally, if you’re a victim of a data breach and you’re not PCI compliant, you can be fined from $5,000 to $500,000. You could lose your virtual POS entirely or be placed in the Visa/Mastercard Terminated Merchant File which would make you ineligible to get another virtual POS for years to come.

Though achieving and maintaining compliance is a lot of work, it’s worth it to protect your business and your customers.

Choose a PCI compliant payment gateway like MONEI

At MONEI we value our business and the security of our customers’ business. We protect e-commerce merchants and your customers by maintaining PCI compliance at all times. Confidently choose from many secure ways to collect payment information and use our Payments API to build a customized PCI compliant checkout page.

PCI compliance FAQ

PCI compliance in Spain is the adherence to the Payment Card Industry Data Security Standards (PCI DSS) established by the major credit card brands to ensure the secure processing, storage, and transmission of cardholder data.

All entities that accept, store, process, or transmit payment card information are required to comply with PCI DSS, including merchants, processors, acquirers, and payment service providers (PSPs).

Non-compliance with PCI DSS in Spain can result in fines, legal action, and reputational damage for businesses. In addition, non-compliant businesses risk losing the ability to process credit card transactions.

You can achieve PCI DSS compliance by implementing security measures such as firewalls, encryption, and access controls, and by regularly testing security systems and procedures.

In Spain, the enforcement of PCI DSS compliance is the responsibility of the payment card brands themselves, such as Visa, Mastercard, and American Express, as well as the regulatory authorities.

Alexis Damen

Alexis Damen is a former Shopify merchant turned content marketer. Here, she breaks down complex topics about payments, e-commerce, and retail to help you succeed (with MONEI as your payments partner, of course).

#Payment Security #Online Payments #Fintech