PCI DSS Compliance: What It Means and Why It Matters
The amount of money that changes hands electronically every year is staggering. Every three years the Federal Reserve oversees a comprehensive study reviewing consumer spending and transaction payment methods. Data from the most recent study shows strong consumer spending activity using payment cards:
- Consumers spend almost $4 trillion annually using cards
- Debit and credit card payments increased roughly 9% per year, on average
- More than half of in-person payments including increased security methods, like chip authentication
This is a strong statement that payment card transactions aren’t going away, and security measures need to be sophisticated to keep cardholder data from getting into the wrong hands.
The Cost of Payment Card Industry Transactions
When consumers – or even businesses – use “plastic” to make a payment in person or remotely there are behind-the-scenes numbers that factor into every transaction:
- Interchange fees – charged by card institutions
- Assessment fees – charged by payment networks
- Processing fees – companies accepting payments, like websites and retail stores, are charged fees to accept payments from consumers
From the above breakdown, the cost of doing business is an important factor in the profit margin for every business. More importantly, the “hidden” costs of doing business can cost a business everything: security vulnerabilities with data transmissions. Fortunately, the Payment Card Industry Data Security Standards (PCI DSS) outline steps businesses can take to protect data transmissions.
What is PCI?
PCI DSS is a set of requirements to protect cardholder data and account security impacting the entire transaction process with the ultimate goal of reducing credit card fraud. The Payment Card Industry Security Standards Council worked with the major credit card companies to find a way to make sure credit card transaction security was a priority by establishing the PCI DSS.
What is PCI Compliance?
Because every business is different, PCI divided compliance requirements into categories based on annual transaction volume (in number of transactions, not dollars spent per transaction). If your business processes fewer than 20,000 annual transactions, you’re in the category made up of mostly small-to-medium-sized businesses (SMBs), and you can review the Self-Assessment Questionnaire (SAQ) to determine your level of compliance.
You’ll need to complete the SAQ for your level of compliance, and this may include passing a vulnerability scan and submitting evidence to PCI Approved Scanning Vendor. If you’re not clear on what documentation is required based on the SAQ, be ready for a complex web of FAQ to find answers.
How Can I Be Sure My Business is Compliant?
Ultimately, your goal is to make certain each payment card transaction is transmitted using secure methods reducing the chance that cardholders’ financial account information is stolen.
PCI DSS outlines six key areas of requirements, to start:
- Maintaining secure IT systems and network
- Measures to protect cardholder data
- Formalize processes to identify and address vulnerabilities
- Procedures outlined for strong access control
- Monitor and test networks regularly
- Maintain and routinely update information security policies
If this sounds like a lot, it’s because it is. The overwhelming nature of data security is enough to lose sleep over – but it doesn’t have to be. There are consultants that are well-versed in navigating PCI compliance and can guide your business to make sure your data is secure.
PCI DSS: The Return on Your Investment
Businesses that process credit card payments must be compliant with PCI DSS requirements. PCI DSS is the industry standard, and non-compliance can result in hefty fines for negligence. The even greater cost here is the hidden cost mentioned above: data security is the most important consideration in payment card transactions, and investing in a secure infrastructure is crucial. Security vulnerabilities lead to data breaches, resulting in credit card fraud, and – to the business involved – loss of revenue, reputation, and more.
The bottom line: Don’t take chances with your cardholder data!