If your business takes debit or credit card payments online or in person, you’ve most likely heard of “PCI DSS” or “PCI SSC.” These words relate to sensitive data security procedures, namely the controls that a retailer or payment processor should have to protect payment card data from cyber attacks.
Being PCI compliant does not ensure a company’s systems are safe; nonetheless, it is a significant step in that direction.
Although the Payment Card Industry Security Standards Council (PCI SSC) oversees and handles the PCI DSS, payment brands and acquirers (the banks or financial institutions that grant merchants the right to process credit and debit transactions) ensure compliance.
What is PCI DSS and how does it affect my business?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for businesses that accept credit cards from major card brands. The PCI DSS rules ensure that all firms that process, store, or transport credit card information provide secure settings for cardholder data.
Cardholder data consists of credit and payment card numbers, account numbers, the cardholder’s name, the credit card’s security code, and the expiration date.
The PCI Security Standards Council (PCI SSC) produced the PCI Standards for Compliance. The PCI SSC is an independent group that includes Visa, Mastercard, American Express, Discover, and JCB, a Japanese credit card business.
Can I Become PCI-certified?
There is no such thing as being “PCI certified” for the PCI DSS. This Standard requires an annual Attestation of Compliance (AOC) documented via a Self Assessment Questionaire (SAQ), or a Report on Compliance (ROC), that cannot be avoided in any way.
But what about the audits performed by Qualified Security Assessors (QSA) required for more prominent Merchants? Isn’t that a PCI certification?
Actually, no. To understand this, we must understand the underlying difference between Certification and Compliance.
The Difference Between Certification and Compliance
Certification, as stated in the Cambridge dictionary, is “the process of earning an official document, […], as proof that something has happened or been done”. For a document to be a certification, it needs not only to prove, in this case, compliance with a specific standard or regulation, but it also needs to be officially earned.
Compliance, on the other hand, is merely the process of following defined guidelines or regulations. Becoming compliant with a standard is not only an ongoing and never-ending activity, but it’s an internal company effort.
Why, then, is there no PCI Certification?
Even though there’s a clear requirement for a third party (QSA) to audit your compliance with the PCI DSS, the Report of Compliance only ensures that we are compliant. The PCI SSC does not recognize any “PCI certification” performed by external auditors or assessors and will require its annual SAQ or ROC.
How Can My Organization Become PCI Compliant?
This does not mean that the so-called “PCI certifications” are useless. These preliminary (and periodic) audits can be crucial to ensure proactive compliance with PCI DSS requirements.
There are four PCI DSS compliance levels. Merchants are divided into tiers according to their annual transaction volume. The levels vary significantly depending on the credit card brand, but the compliance requirements for every merchant level are identical.
The more transactions a merchant does, the more severe the security controls must be followed. It should be noted that four PCI merchant compliance levels and two service provider levels have been developed to ensure the security of credit card and cardholder data.
Compliance with this critical data protection standard entails many of the exact security requirements as other cybersecurity frameworks, including the use of anti-malware or antivirus software, secure firewall setup, robust system login credentials, a vulnerability management program that involves frequent vulnerability scans, strong access control measures for both virtual and physical access limiting system and data access to those with a legitimate business need, and more.
The PCI compliance levels are listed below:
Level 1: Any merchant handling more than 6 million transactions annually across all channels or any merchant with a data breach. Credit card issuers may also elevate any merchant to Level 1.
Level 2: Any merchant processes between 1 and 6 million transactions yearly across all channels.
Level 3: Any business that processes 20,000 to 1 million e-commerce transactions annually.
Level 4: Any merchant, usually a small company, processes less than 20,000 e-commerce transactions yearly or more than 1 million recurring transactions yearly.
PCI Assessment Methods
The process for assessing compliance with PCI rules varies based on the type of company a merchant conducts and the merchant level they are currently at. While all merchants must do an annual assessment, the merchant level defines who performs the examination and to what extent the evaluation is conducted.
PCI-DSS evaluations are often classified into one of three methods:
- Qualified Security Assessor (QSA): QSAs are independent security businesses accredited by the PCI Security Standards Council to verify an organization’s compliance with PCI DSS. A QSA evaluates an organization’s handling of credit card data against the PCI DSS control goals.
- Internal Security Assessor (ISA): An ISA is an internal assessor for the organization being examined. The ISA is also certified by the PCI Security Council to conduct PCI assessments, but exclusively for their organization.
- Self-Assessment Questionnaire (SAQ): Lower-level merchants (with fewer transactions) utilize SAQs to check their compliance. The type of PCI SAQ that a company must complete is determined by the kind of merchant and how it handles credit card payments, such as outsourcing payment processing to a PCI DSS-compliant third-party vendor.
Common Penalties for Non-Compliance with PCI
Noncompliance might result in the offender losing the ability to conduct credit card transactions. As a result, all merchants must strictly adhere to PCI regulations.
Failure to meet PCI regulations endangers both your customers and your business. You risk data breaches, lost earnings, and a ruined customer reputation.
Furthermore, if you are a data breach victim and are not PCI compliant, you might face a $5,000 to $500,000 fine. You may lose your virtual Point of Sale (POS) entirely or be placed on the Visa/Mastercard Terminated Merchant File, rendering you ineligible for another virtual POS for years.
Maintain PCI compliance with Help from ZenGRC
Regardless of your compliance concerns, data and cybersecurity must be integrated into every element of your organization. PCI DSS requirements are not meant to burden businesses. Instead, they are intended to safeguard the security of networks and online services, protecting us against hackers and the repercussions of a data breach.
Instead of handling your compliance requirements using spreadsheets, use ZenGRC to automate documentation and audit management across all your compliance frameworks. ZenGRC’s compliance, risk, and workflow management software is straightforward.
ZenGRC is preloaded with various compliance frameworks and standards for quick adoption, including PCI, HIPAA, and SOC.
One-to-many control mapping makes matching internal controls to numerous standards easy, allowing you to monitor PCI DSS compliance alongside other frameworks, making compliance management more accessible.
ZenGRC also serves as a single source of truth, ensuring your business is always compliant and audit-ready. Policies and procedures are versioned and readily available in the document repository. Workflow management technologies include essential monitoring, automated reminders, and audit trails. Insightful data and dashboards identify gaps and high-risk regions.
Request a demo to learn how ZenGRC can assist you with compliance and vulnerability management.