Read our article to find out more about PCI data security standards and the steps merchants need to take to become compliant.
The PCI Data Security Standard (PCI-DSS) is a set of requirements designed to protect payment account data through the payment lifecycle. It includes standards for merchants, payment service providers and financial institutions regarding security practices, technologies and processes as well as standards for developers and vendors for creating secure payment products and solutions. An entity achieves PCI compliance by consistently adhering to these standards.
PCI standards are periodically updated to address emerging threats and new technologies. In March 2022, the PCI Security Standards Council announced that in 2024 an updated set of requirements (PCI-DSS version 4.0) will replace the standards currently in effect (PCI-DSS version 3.2.1).
Three groups play a role in merchants’ PCI compliance, they are:
- PCI Security Standards Council (PCI SSC): This global forum brings together payments industry stakeholders to develop data security standards and drive adoption worldwide.
- Card networks (e.g., Visa, Mastercard, etc.). The networks have their own specific data security requirements for merchants guided by PCI data security standards.
- Merchant services providers (e.g., processors, payment service providers). Merchant services providers must be PCI compliant themselves and typically incorporate PCI compliance requirements for merchants into their service agreements.
The twelve key PCI DSS requirements for merchants are as follows (Source: PCI Security Standards website):
The scope, cost and complexity of compliance vary according to a number of factors, including transaction volume, and the processing environment. For example, a merchant that only has card-not-present transactions and has fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises will have different compliance standards than a merchant that processes card present transactions and stores cardholder data in its systems.
To become PCI compliant, the first step is a self-assessment questionnaire (SAQ), which can be downloaded from the PCI Security Standards website. There are a number of SAQs available, each of which addresses a different processing environment, so it is important to select the SAQ that matches the way your processing environment is set up. Based on the outcome of the SAQ, you may need to hire an approved vendor to scan for security vulnerabilities and make sure all standards are met. Next, complete the attestation of compliance (AOC) document that was included with the SAQ. This document is often requested, along with the SAQ and vulnerability scan (if one was conducted), by payment processors, gateways and acquiring banks. PCI compliance needs to be validated annually.
PCI compliance standards were established to prevent payment account data from being accessed and used for fraudulent activities. If a merchant does not properly care for accountholder data and a breach occurs the merchant may be subject to fines, lawsuits from its customers and merchant services provider, reputational damage and increased costs, which can include paying for credit and identity theft monitoring services for affected customers. Even if a breach does not occur, noncompliance penalties can be costly.
For more information on PCI compliance, and helpful resources see the PCI Security Standards Website.
Verisave is a third-party cost-reduction firm specializing in merchant accounts and credit card processing fees.
Verisave is not a payment processor, and is not affiliated with any processors, card brands, or banks.
Verisave has more than 20 years of experience optimizing and monitoring the credit card processing industry.