The payment card industry has seen significant growth over the past few years. According to a report, at the end of 2015, there were around 18.08 billion payment cards in circulation worldwide and this figure is expected to grow to 22.90 billion by the end of 2020. Thus, this increased number of customers has posed several security concerns in front of the Payment Card Solution Providers. Thus, many companies are prioritizing the safety and security of their customers’ private information. In the payment industry, new advances in commerce and payment technology are often accompanied by new rules and regulations to help ensure that both customers and businesses are protected. Hence for utmost security, the five largest credit card companies have introduced a standard named Payment Card Industry Data Security Standard (PCI DSS) to help reduce consumer and data breaches.
Understanding PCI DSS compliance is essential for business decision-makers. This article will provide an overview of PCI DSS Compliance.
What is PCI DSS Compliance?
As the internet era began to reach maturity, companies that focused on leveraging the power of the internet began bringing their payment processing systems online, connecting them wirelessly to both their physical and virtual terminals. However, the cases of data theft also increased during this period, and to cope with the increasing data theft, the five largest credit card brands—Visa, MasterCard, Discover, American Express, JCB—started implementing the Payment Card Industry Data Security Standard (PCI DSS) to prevent costly consumer and bank data breaches. PCI DSS is the payment security standards that ensure all sellers safely and securely accept, store, process, and transmit the cardholder data during a credit card transaction.
Any merchant with a merchant ID that accepts payment cards must follow the PCI compliance regulations to protect against data breaches. Cardholder or payment data covers information such as full primary account number (PAN), the cardholder’s name, and credit card service code, and expiry date. Sellers are also responsible for protecting sensitive authentication data in the magnetic-stripe data. Hence to identify where the business might be vulnerable to an attack, one should be aware of the places where sensitive cardholder data can be stolen from. According to Statista, The United States saw 1244 data breaches in 2018. The data can be stolen from compromised card readers, insecure payment system databases, hidden cameras recording the entry of authentication data, and many other ways. Thus, it is important to secure the entire payment life cycle, from credit card acceptance to payment processing. This can be done by protecting cardholder data where it is captured at the point of sale and as it flows into the payment system to the merchant account.
The payment card industry standards apply to card readers, point-of-sale systems, and store networks, and wireless access routers. They are also applicable to payment card data storage and transmission, payment card data stored in paper-based records, and online payment applications& shopping carts. For companies, becoming PCI compliant and maintaining that compliance can be a complex process. It can involve implementing security controls, hiring a pricey third-party consultant to install costly software and hardware, signing an expensive and binding contract under which the company agrees with the bank’s terms for annual PCI compliance, completing annual self-assessments, and many more things.
PCI Compliance Levels and Requirements
If a business accepts payment cards with any of the five members of the PCI SSC credit card brands (American Express, Discover, JCB, Visa, and MasterCard), then it has to be PCI compliant within various levels. However, all compliance reporting requirements are not the same. They differ on the basis of processing volume. For an instance, sellers with a higher volume of transactions are required to work with internal security assessors, qualified security assessors, and PCI-approved scan vendors.
There are four different levels of PCI compliance that specify the requirements for which sellers are responsible. The PCI council judges the pass mark in compliance with 100 percent of the criteria. Due to this criterion, many companies work with a PCI-compliance consultant on standards and how to meet the PCI compliance requirements. Every seller falls into one of the four levels, depending on their transaction volume during a 12-month period.
Difficulties Due To PCI Noncompliance
According to research, 30% of the small businesses report that they don’t know the penalties for non-compliance with PCI DSS 3.0 Though PCI compliance is not a law, but being out of compliance can cause serious security concerns to a company. According to the 2019 Verizon Data Breach Report, there were almost 41,686 data security incidents in 2019. Thus, keeping the payment processing life cycle secure has become important than ever. If a business does not comply with PCI standards, it could be at risk for data breaches, card replacement costs, fines, costly forensic audits & investigations into business, brand damage, and many more.
The penalties for noncompliance are not publicized, however, they can be destructive for businesses. For an instance, if a company violates PCI-compliance standards, credit card banks may charge fines from $5000 to $100,000 per month from the company’s acquiring bank. Along with the financial losses, there are also potential liabilities that could affect a business, such as lost confidence, diminished sales, cost of reissuing new cards, legal costs, fraud losses, etc.
Cost to become PCI Compliant
According to a recent report, “The PCI process takes up to 55 percent of the total data security budget for retailers. Yet, until 75% of a given retailer’s card transactions are EMV compliant, the EMV costs are additive to what retailers are already paying for PCI compliance. Retailers have to do both.” Becoming and maintaining PCI compliant business depends on the type and size of the respective company and the compliance level to which it is held. By level, the costs range as follows.
- Level 4: $60 to %75 and more
The cost includes an Approved Scanning Vendor, who should complete a regular network or website scan, and completion of a Self-Assessment Questionnaire (SAQ) and Attestation of compliance by the company or its staff.
- Level 3: $1200 a year, and more
This cost includes regular scans by ASVs and increases based on the size of the company’s computer network and the number of IP addresses. It also includes the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance
- Level 2: $10,000 a year, and more
This cost includes the same attributes as in level 3
- Level 1: $50,000 a year, and more
This cost includes a regular network scan by an Approved Scanning Vendor, an Annual report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.
To conclude, with increased consumer convenience and benefits due to innovations, the card payments industry is reinventing itself. Having already gone beyond cashless and contactless transactions, the industry is set to go cardless. This in future may lead to much more data security concerns, hence PCI DSS compliance is expected to play a huge role in securing data and helping the payment card industry achieve higher feats.
Also read: How Host Card Emulation meets EMV Goals?
Read Full Magazine: The 10 Leading Payment and Card Solution Providers of 2020