Understanding PCI DSS Compliance: A Beginner’s Guide

If you’re a business owner, you’ll no doubt have heard of PCI DSS compliance. Although the standard has been in place since 2014, a recent report found half of organisations fail to maintain compliance. Any business that takes card payments online is flirting with disaster if they fail to take PCI compliance seriously. The consequences of non-compliance can be significant, as numerous high profile data breach scandals have illustrated. 

But what exactly does PCI DSS compliance mean and how can you achieve it? 

What Does PCI DSS Stand For?

PCI DSS refers to the Payment Card Industry Data Security Standard, which was introduced by the major credit card companies in 2004. In 2006, the Payment Card Industry Security Standards Council (PCI SSC) was established to administer and govern the development of the standard.

Why Do We Need the PCI DSS?

As e-commerce businesses exploded in the late 1990s, opportunistic fraudsters became an increasing problem for merchants, credit card companies and consumers. PCI DSS was developed to protect card issuers from fraudulent activity.

Five major credit card companies — MasterCard, American Express, Visa, JCB Financial and Discover Financial Services — observed the growing number of payment fraud cases. They decided to amalgamate their information security programmes to create a standardised approach to data protection.  

Do I Need to Be PCI Compliant?

If your business accepts credit card payments, you need to work towards PCI compliance. This requirement is not law, but the consequences of non-compliance are potentially devastating for any business — small or large — so it’s well worth the cost and effort involved in achieving compliance.  

There are four levels of compliance, based on a merchant’s Visa transaction volume over 12 months.

Level 1 — businesses that process more than six million card transactions per annum

Level 2 — businesses that process one to six million card transactions per annum

Level 3 — businesses that process 20,000 to one million card transactions per annum

Level 4 — businesses that process fewer than 20,000 transactions per annum

Level 1 has the most strict requirements. A merchant must be able to meet all the requirements at their level to achieve compliance. Level 3 or 4 will be suitable for many small businesses.

How Do I Gain PCI DSS Compliance?

The PCI SSC sets out a three-step process to achieving compliance:

  1. Assess
  2. Remediate
  3. Report

Assess. Complete a self-assessment questionnaire (SAQ) to determine your current level of compliance. There are eight SAQs to choose from. Refer to the PCI SSC guidelines to help you select the correct questionnaire. You’ll also need to complete an Attestation of Compliance, provided along with your chosen questionnaire. 

Remediate. Identify and address any gaps in security processes and procedures. This might include creating an information security policy or switching to PCI DSS compliant software

Report. Inform the relevant acquiring financial institutions or payment card brand of your new PCI DSS of your compliance status.

Achieving PCI compliance is not a one-off task. It must be maintained year-on-year and there is a fee to pay. The cost of compliance is determined by the size of a business, your current level of security and the technology you use. 

What Are the Consequences of Non-Compliance?

If your company is not working towards compliance and suffers a data breach, the consequences could spell the end of your business. The potential consequences of non-compliance include:

  • Significant penalties — average fees for a small business in the UK are £15,000 and can run into millions for major brands. 
  • Damaged business reputation43% of UK consumers stop associating with a business after it suffers a data breach.
  • Associated costs of a breach — these might include legal fees and lost business. 
  • Increased costs for future business — gaining compliance after a breach may be more costly and the cost of issuing payment cards could rise.
  • Limitations on future business activity — payment fraud or a serious data breach may result in the revocation of your ability to process card payments. 

The Bottom Line

Achieving PCI compliance is no mean feat. It takes time, effort and ongoing financial investment. However, this pales in comparison to the potential consequences of non-compliance. If your company accepts card payments and you are not currently PCI DSS compliant, nor working towards it, take the first step today and protect the future of your business.