OVERVIEW
What is PCI DSS compliance?
PCI DSS compliance is designed to keep cardholders and their information safe. PCI DSS is the payment card industry data security standard. These set of security and operational standards consist of a list of practices that merchants must follow to accept payment cards, specifically how to handle, process and store sensitive data securely.
Who does PCI DSS apply to?
Any organization (regardless of size) that accepts, processes, stores or transmits cardholder data is required to comply with PCI standards.
What data qualifies as “Cardholder Data”?
The PCI Standards defines cardholder information as the full Primary Account Number (PAN) plus any of the following:
Cardholder name
Expiration date
Sensitive authentication data must also be protected, this includes:
Full magnetic stripe data
Card Security Code (3 or 4 digit security code printed on the card)
PINs
What are the different Levels of PCI compliance?
There are 4 different levels of PCI compliance. The chart below details transaction volume for each level. For more details about the different levels of PCI compliance, visit: https://www.pcisecuritystandards.org
PCI Compliance Checklist
Follow these guidelines to maintain PCI compliance for your business.
Goals | PCI DSS Requirements |
Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor supplied defaults for system password |
Protect Cardholder Data | 3. Protect stored cardholder data |
Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need to know. |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel. |
Please visit pcisecuritystandards.org for the most up to date version of this checklist.
The Risk of Non-Compliance
Standards are in place for a reason: to keep consumers safe. When a merchant chooses to not comply with PCI DSS standards, there are consequences. Most of the time, this means heavy fines, charged by the payment brand (Visa, Mastercard, etc…) to the acquiring bank, which will usually pass the cost along to the business itself. Below are only some of the risks of non-compliance:
Banks can revoke CC processing ability
Increase cost of transaction fees
Fines from $5,000 to $100,000 per month
Damage to the merchants brand/business
The potential for data breach
Cost of forensic audits
Card replacement costs
Investigations
What if I Don’t Comply with PCI DSS?
While PCI isn’t a law, it is the industry standard, and companies who refuse to cooperate with it can be subject to and responsible to absorb the costs of fines, card replacement costs, and other consequences in the event of a breach.
I’m using MyCase for Credit Card Payment, Doesn’t That Make Me PCI Compliant?
Using a third-party company, like MyCase, doesn’t exclude you from PCI DSS compliance. It may cut down on your risk exposure and reduce the effort to comply but as a business that accepts card payments, you have an obligation to ensure compliance.
For a full list of questions about PCI Compliance, visit: https://www.pcicomplianceguide.org/faq/#