Skip to main content
All CollectionsOnline PaymentsMyCase Payments
PCI Compliance - What You Need to Know
PCI Compliance - What You Need to Know

PCI DSS compliance is designed to keep cardholders and their information safe. PCI DSS is the payment card industry data security standard

Updated over 7 months ago

OVERVIEW

What is PCI DSS compliance?

PCI DSS compliance is designed to keep cardholders and their information safe. PCI DSS is the payment card industry data security standard. These set of security and operational standards consist of a list of practices that merchants must follow to accept payment cards, specifically how to handle, process and store sensitive data securely.

Who does PCI DSS apply to?

Any organization (regardless of size) that accepts, processes, stores or transmits cardholder data is required to comply with PCI standards.

What data qualifies as “Cardholder Data”?

The PCI Standards defines cardholder information as the full Primary Account Number (PAN) plus any of the following:

  • Cardholder name

  • Expiration date

Sensitive authentication data must also be protected, this includes:

  • Full magnetic stripe data

  • Card Security Code (3 or 4 digit security code printed on the card)

  • PINs

What are the different Levels of PCI compliance?

There are 4 different levels of PCI compliance. The chart below details transaction volume for each level. For more details about the different levels of PCI compliance, visit: https://www.pcisecuritystandards.org

User-added image

PCI Compliance Checklist

Follow these guidelines to maintain PCI compliance for your business.

Goals

PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor supplied defaults for system password

Protect Cardholder Data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel.

Please visit pcisecuritystandards.org for the most up to date version of this checklist.

The Risk of Non-Compliance

Standards are in place for a reason: to keep consumers safe. When a merchant chooses to not comply with PCI DSS standards, there are consequences. Most of the time, this means heavy fines, charged by the payment brand (Visa, Mastercard, etc…) to the acquiring bank, which will usually pass the cost along to the business itself. Below are only some of the risks of non-compliance:

  • Banks can revoke CC processing ability

  • Increase cost of transaction fees

  • Fines from $5,000 to $100,000 per month

  • Damage to the merchants brand/business

  • The potential for data breach

  • Cost of forensic audits

  • Card replacement costs

  • Investigations

What if I Don’t Comply with PCI DSS?

While PCI isn’t a law, it is the industry standard, and companies who refuse to cooperate with it can be subject to and responsible to absorb the costs of fines, card replacement costs, and other consequences in the event of a breach.

I’m using MyCase for Credit Card Payment, Doesn’t That Make Me PCI Compliant?
Using a third-party company, like MyCase, doesn’t exclude you from PCI DSS compliance. It may cut down on your risk exposure and reduce the effort to comply but as a business that accepts card payments, you have an obligation to ensure compliance.

For a full list of questions about PCI Compliance, visit: https://www.pcicomplianceguide.org/faq/#


Did this answer your question?