Securing sensitive payment information is crucial in today’s ever-changing digital landscape. The PCI DSS was created in order to encourage and enhance consistent and effective data security measures designed to protect payment account data.
Read on to learn what PCI DSS is and why you should protect your payment ecosystem.
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) was enacted by a group of major credit card companies to ensure that credit card transactions could be completed in a safe and secure manner.
Developed and maintained by the PCI Security Standards Council, the PCI DSS details the technical and operational requirements that organizations must follow in order to protect payment data.
What Kind of Businesses Need PCI Compliance?
Organizations that deal with cardholder data must be PCI DSS compliant, such as merchants, or service providers that are involved in processing transactions.
Does your organization store, transmit, or process cardholder data? If so, you’ll need to ensure that you are compliant with the PCI DSS. If your systems impact the Cardholder Data Environment (CDE), such as outsourced payment operations, you’ll need to adhere to the PCI DSS requirements as well. Payment environments or operations outsourced to third parties are still the responsibility of your organization.
- A merchant is an entity that accepts payment card transactions from any of the five members of the PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods or services. There are 4 merchant levels, learn more here.
- A service provider is a business entity that is not a payment brand, but is involved in processing, storing, or transmitting card holder data. A service provider may also provide services that control or impact the security of card holder data.
What happens if Your Organization is not PCI Compliant?
If your organization is not PCI DSS compliant, you may encounter a number of critical issues.
- Your clients may not see your systems as trustworthy. PCI DSS compliance demonstrates to your clients that you take protecting card holder data seriously. If you are not compliant, potential clients may not work with you if they feel that your systems can not be trusted or could negatively impact their business.
- You may incur fines. Payment brands have the ability to fine an acquiring bank $5,000 to $100,000 per month, which is usually passed down to the merchant. The bank may also terminate their relationship with the merchant or increase their transaction fees.
- You may be stripped of your ability to perform essential services. A strained relationship with the banks or payment card companies could impact your organization’s ability to perform your basic business services, impacting your clients and your organization.
Who Performs a PCI Audit?
PCI audits are performed by certified Qualified Security Assessors (QSAs). Your QSA will analyze the nuances specific to your organization and industry to ensure proper compliance under the PCI DSS. The right QSA can provide ongoing compliance support for your organization.
You may be wondering what a QSA does during your PCI DSS audit, and it’s pretty straightforward:
- They verify technical information provided by your organization,
- They judge whether standards have been met accordingly,
- They provide support throughout the engagement period,
- They ensure the audit follows the PCI DSS requirements and testing procedures,
- They validate the scope of the assessment,
- They evaluate any custom controls and implementations,
- They produce the final report.