PCI Compliance Explained

In 2006 major credit card brands, American Express, Discover, JCB International, MasterCard, and Visa Inc founded the PCI Security Standards Council. A set of requirements were launched to regulate security for companies that process payment cards. The regulations are known as the Payment Card Industry Data Security Standard (PCI DSS), and they’re designed to make sure all companies that process, store, or transmit credit card info keep a secure environment. Read on to learn all about PCI compliance, what it means, how it protects customers and businesses, and how to become PCI compliant in your business.

Understanding PCI Compliance

We are going to take a look at what it means to be PCI compliant. To fully understand compliance, it’s important we take a look at what compliance means and the goals of compliance. 

What Does it Mean to be PCI Compliant?

When you are PCI compliant it means that you agree to uphold the security standards outlined by the PCI DSS to secure cardholder data. There are specific requirements that your company must meet to be considered compliant.

Goals of PCI Compliance

There are six major goals of PCI compliance, sometimes referred to as principles of compliance. 

1. Build and maintain a secure network. To build a network that is secure and protects cardholder data, you will need to install and maintain a firewall. You will need a configuration policy and a test procedure. Use secure passwords that your company creates rather than the pre-set passwords supplied from vendor software. 
2. Protect cardholders’ data. You will only need to meet this goal if your company stores cardholders’ data. If you do store cardholder data, you will need several layers of physical and virtual security to protect it. 
3. Have strong access control measures. The fewer people who come in contact with cardholder data, the better. Limiting personnel access to cardholder data helps improve your security measures. You need a unique login for every person who accesses computers with secure passwords for each user. You should also physically limit access to places where your company stores sensitive information.
4. Maintain a policy of information security. Your information security policy needs to address risk analysis processes and annual reviews, operational security procedures, and acceptable uses of technology. 
5. Have a program that manages vulnerability. Data becomes vulnerable without the proper software updates, particularly to anti-virus software. New security threats are created every day so it’s critical to have everything updated for PCI compliance.
6. Monitor and test your systems regularly. Security is only good if you keep up with it. Regularly monitoring and testing systems will allow you to keep cardholder data safe and maintain your compliance. 

12 Requirements of PCI Compliance

In order to be PCI DSS compliant you have to meet the following 12 requirements.

1. Protect cardholder data by installing and maintaining a firewall. One of the primary ways criminals will try to steal cardholder data is online. That’s why maintaining a firewall configuration is one of the core goals of PCI DSS. You need to have firewall and router standards and test equipment security every time you update software or change out hardware. Review your configuration rules twice a year and restrict access from all untrusted sources, unless you have a case where the communication protocol is needed to process a card. If any employees can access the network through mobile devices or computers, make sure their devices have the proper firewall software.
2. Change vendor-supplied default passwords. You need to change all passwords to firewall, routers, and other hardware and software as soon as it’s installed. Keeping the vendor-supplied default passwords, or having weak passwords, opens your business up to a data breach.
3. If your company stores cardholder data, protect it. Not all companies that process cards store cardholder data, but if your company does you’re required to protect that data. Never store cardholder data unless it’s required for legal, regulatory, or business needs. If you do need to store data for any of those reasons limit storage time and purge data at least once per quarter. Never store sensitive data, even if it’s encrypted, longer than the amount of time it takes to process a transaction.
4. When you send data across open, public networks, always encrypt it. Moving data across a public network gives criminals a chance to access it. Always encrypt the data before you transmit it and decrypt it upon receipt to decrease the likelihood of criminals getting usable data. You will need strong cryptography and security protocols to meet this requirement.
5. Use the most recent updated versions of anti-virus software. Create a vulnerability management program by using anti-virus software and keeping the software updated. Keep all software on your system updated to eliminate any security holes. Your anti-virus mechanisms need to always be active, generate auditable logs, and use the latest dictionaries to ensure your compliance.
6. Maintain secure applications and systems. Another part of your vulnerability management program includes keeping other software secure. Install security patches for software as soon as it’s available. Merchants need to be able to know about these patches right away and easily implement them. You will also need to be able to discover and rank new vulnerabilities. 
7. Implement need-to-know restrictions to cardholder data. A major component of PCI DSS is implementing strong access control measures. Criminals may try to access cardholder data, but unauthorized people or organizations may also ask for access to sensitive data that they don’t need for the current task. Strong access control assesses not only who is requesting data, but the specific circumstances they are requesting it for. The system then needs to be able to respond accordingly by approving only requests that need to know that data to complete a specific task. 
8. Each person on your team with computer access needs a unique ID. Unique IDs for each person with computer access allow you to know that every time someone in the organization accesses cardholder data you can trace the activity and recognize unauthorized access. To allow remote access you must implement two-factor authorization. This does not mean two passwords, rather use technologies like a fingerprint scanner and email or SMS confirmation, to use a token as one factor and password as a second.
9. Implement access restrictions to cardholder data. You need to ensure data is safe within the physical confines of the business as well. Limit physical access to sensitive data. Security personnel needs to enforce strict rules about who is authorized to access physically secured data and keep logs of who accesses information. You will also need to physically destroy data in the shortest amount of time possible. 
10. Monitor and track access to cardholder data and network resources. There is cardholder data on both wireless and physical networks. Vulnerabilities in either of these can make data easier for criminals to access. You need to monitor and test your networks regularly to mitigate these weaknesses and minimize the opportunities for a data breach.
11. Test security processes and systems regularly. A new code introduced into the system can open it up to vulnerabilities. That’s why it is important to review security processes and test systems regularly and monitor files.
12. Have a policy that addresses information security across all your personnel. It’s not enough to just create a solid security policy. You need to maintain it, publish it, and ensure your staff is up to speed on security measures. 

Is PCI Compliance Mandatory?

PCI compliance is a complex process and may leave many business owners wondering if they really need it. PCI compliance isn’t mandatory by law, however, it can be considered mandatory by court precedent. So the short answer is, if you accept credit cards in your business, your payment gateway needs to be PCI compliant. 

Benefits of PCI Compliance

PCI compliance protects your business and your customers’ data. Data breaches cost companies millions of dollars each year. According to a study by Data Intelligence, the average data breach in 2019 cost companies 3.9 million. 

Outside of the cost of liability for damages, insurance costs, implementing new procedures, you have the cost of your brand image and reputation, which hurts future sales. If customers can’t trust you with their data, they will buy somewhere else. 

Risks of Non-Compliance

Trying to skirt compliance could cost you a lot more than implementing security to be compliant. Failing to be PCI compliant puts your customers and your business at risk. You’re vulnerable to data breaches, loss of profits, and a damaged reputation with your customers.

Additionally, if you’re victim to a data breach and you’re not PCI compliant you can be fined from $5,000 to $500,000. You could lose your merchant account entirely or be placed in the Visa/MasterCard Terminated Merchant File which would make you ineligible to get another merchant account for years to come. 

Though achieving and maintaining compliance is a lot of work, it’s worth it to protect your business and your customers. 

Choose a PCI Compliant Payment Gateway like MONEI

At MONEI we value our business and the security of our customers’ business. We protect e-commerce merchants and your customers by maintaining PCI compliance at all times. Confidently choose from many secure ways to collect payment information and use our API to customize your card input component. 

Reach out to us today to see how we can help you safely and securely scale your revenue with the best payment gateway rates.

Alexis Damen

Alexis Damen is the Head of Content at MONEI. She loves breaking down complex topics about payments, e-commerce, and retail to help merchants succeed (with MONEI as their payments partner, of course).