For merchants that handle credit and debit card transactions, PCI compliance has far-reaching consequences. Adhering to the Payment Card Industry Data Security Standard (PCI DSS) helps merchants keep customers’ payment data safe, secure payment systems against cyber threats, and avoid financial penalties that could harm their profitability.
In this post, we explore the essential aspects of PCI DSS compliance that merchants need to be mindful of. We’ll start by looking at where these rules came from and why they matter. Then, we’ll walk you through essential PCI DSS requirements, help you determine your PCI compliance level, and discuss common challenges merchants face on the path to compliance.
What is PCI DSS?
PCI DSS is a set of standards that merchants are required to follow to ensure the security of their payment systems and safeguard customers’ financial data. Under the PCI protocols, cardholder data includes credit card numbers, PIN codes and authentication data, expiration dates, cardholders’ names, and other personal information.
The requirements came into effect on December 15, 2004. They were drafted by the Payment Card Industry Security Standards Council (PCI SSC), a group made up of America’s largest credit card companies — American Express, Discover, JCB, Mastercard, Visa, and UnionPay.
Failure to uphold the PCI standards can leave your payment systems vulnerable to data breaches, which could cause irreparable harm to your company’s reputation. Additionally, any merchant that violates the PCI protocols risks losing the ability to process credit card payments.
Key PCI DSS Requirements for Merchants
PCI compliance has thirteen main components that merchants need to be mindful of. Any merchant that accepts credit cards is expected to abide by these standards.
It’s important to be aware that these requirements are subject to change, and you should consult with your merchant services provider for more information about your company’s specific PCI obligations.
- Assess the size of your cardholder data environment (CDE). A merchant’s CDE is defined as any employees, systems, or processes that have anything to do with accessing or handling cardholder data. Merchants need to properly scope their CDE to ensure they’ve taken sufficient steps to secure it.
- Install and maintain firewalls to control who has access to cardholder data stored in your payment system. This protects against hackers, but also prevents unauthorized employees from accessing customers’ financial information.
- Set strong passwords and don’t rely on vendor security configurations. Some merchants keep the original password that their payment systems shipped with. This is a PCI violation, because criminals are known to sell lists of these original manufacturer passwords.
- Merchants need to encrypt all financial data stored in their systems. That way, even if a hacker managed to steal your customers’ financial information, they wouldn’t be able to read it without a decryption key.
- Encrypt all cardholder information during transactions that take place on a public network.
- Make sure your payment systems are equipped with antivirus and anti-malware software that runs constant scans. Companies also need to update their antivirus software on an ongoing basis.
- Merchants need to rigorously maintain the security of their digital payment systems. This means installing security patches as needed, conducting regular threat assessments, having rigorous access controls in place, and using security-minded coding and development practices if you build custom software products.
- Implement a “need to know” policy around cardholder data and any systems that process customers’ credit cards. In other words, don’t allow payment system access to any employee unless they genuinely need it to do their job.
- Everyone who fits the “need to know” criteria mentioned above should be assigned a personal ID that identifies them when they’ve accessed your payment systems. This helps merchants monitor their networks for hackers and suspicious activity.
- Restrict access to cardholder data that your company physically stores at any of its business locations. Merchants should have security cameras monitoring these areas at all times.
- Keep logs of everyone who accesses your payment system, and consider using automation to scan for suspicious network activity and login attempts.
- Run regular security scans of your network, and consider using third-party penetration tests to help you better identify system vulnerabilities.
- Develop clearly defined security policies at your company. PCI compliance is an ongoing responsibility, rather than a one-time commitment. Digital threats are constantly emerging, so you need to make sure everyone in your organization has a “security first” mindset and follows your corporate policies.
These are the broad PCI standards, but merchants’ exact compliance requirements are determined by their annual credit card transaction volume, among other factors.
PCI Compliance Levels for Merchants
The PCI DSC recognizes four different merchant compliance levels. Level 1 has the most stringent requirements and processes the most credit card transactions, while level 4 is more lenient.
- Level 1: Merchants that process more than six million credit card transactions each year fall in this category. Level 1 merchants need to get their systems audited by a PCI DSC-approved auditor each year. They also need to have a quarterly scan conducted by a PCI DSC-approved scanning vendor, and fill out an Attestation of Compliance (AOC) detailing their internal security standards and processes.
- Level 2: Level 2 merchants process between one and five million credit card transactions annually. If you’re a level 2 merchant, you’ll need to submit an annual Report of Compliance (ROC). This is done internally, not through a third party. This compliance level also requires quarterly system scans and an AOC.
- Level 3: Merchants with annual card transaction volumes between 20,000 and one million are classified as Level 3. Level 3 merchants don’t need to submit to audits, but voluntarily doing so can improve their business reputation. Companies at this level don’t have to submit an ROC, but an annual AOC is required, as are quarterly network scans.
- Level 4: Any merchant with fewer than 20,000 annual card transactions is a level 4. Companies at this level are not subject to audit requirements and don’t submit an AOC or ROC. However, quarterly network scans are still necessary, along with an annual self-assessment questionnaire (SAC) that gets filled out internally.
For merchants, knowing your PCI compliance level is a crucial step in making sure you don’t violate PCI DSS. However, whether you’re a level 1 or a level 4, a number of difficulties can stand in the way of PCI compliance for merchants.
Why is PCI Compliance a Challenge for Companies?
As important as it is, PCI compliance can be a time-consuming, resource-intensive, and stressful endeavor. A few of the traditional hurdles merchants encounter include:
- Complex digital systems: Many companies have highly integrated tech stacks with dozens of interwoven apps, and payment data might touch multiple systems. It’s not necessarily a simple task to determine the scope of your CDE.
- Resource availability: PCI compliance often requires forming special teams to manage and monitor the process. This can stretch companies’ resources and introduce logistical challenges.
- Lack of in-house expertise: PCI DSS is fairly technical, and merchants may not have employees on hand with the necessary experience to manage compliance.
Many companies deal with the never-ending stress of PCI compliance by outsourcing it to a third party. Working with a company that specializes in managing merchant PCI compliance can help you avoid paying hundreds of thousands of dollars in non-compliance fines if something goes wrong.
MSG Streamlines PCI Compliance for Merchants
At MSG Payment Systems, we have 25+ years of expertise helping merchants of all sizes maintain PCI compliance. We can help you every step of the way. From determining your compliance level to appropriately scoping your CDE and implementing rock-solid digital defenses, we take the stress out of PCI DSS for merchants. If you’re looking for compliance peace of mind, reach out to the MSG Payment Systems team.
