Who Needs to Be PCI Compliant?

Around the world, merchants have quickly realized that card payments are the preferred method for customers to purchase products and services. 80% of customers prefer to use a card, while only 14% would rather use cash. Card payments include debit, credit, and prepaid cards, which are convenient, safe, and fast payment methods. If you are a merchant or payment service provider (PSP) that handles, processes, stores, or transmits card payment data, you must maintain PCI compliance. While you have likely heard of this term, you may not know what it means, who needs to be compliant, why it’s essential, and what happens if you fail to comply. This article will shed some light on these topics to help you better understand everything you need to know about the complex world of PCI compliance. 

What Is PCI Compliance? 

Payment Card Industry Data Security Standard (PCI DSS) refers to a set of security standards to ensure companies that accept, process, store, or transmit card information maintain a secure environment and protect customers’ sensitive information from cyberattacks like breaches, credit card fraud, and identity theft. PCI DSS was established by the five major card brands, including American Express, Discover, MasterCard, JCB, and Visa. These top card brands established rules that require organizations to meet 12 general data security requirements and more than 200 sub-requirements.  

Additionally, the specific compliance requirements will depend on the type of business. However, the following are general requirements that all merchants must meet, no matter the size or volume of annual card transactions. 

The 12 PCI DSS Requirements for All Merchants 

PCi DSS Controls list

In addition to these general requirements, there are four different compliance levels that come with other requirements. The type of compliance level a merchant will need is based on their annual transaction volume. Typically, merchants under level 4 process the lowest amount of transactions every year ($20,000), while merchants under level 1 process the highest (more than 6 million transactions a year).  

Businesses may also need to complete multiple Self Assessment Questionnaires (SAQ) depending on how they process, store, or transmit card information. It’s important to note that while PCI DSS is not a law, this is a globally used set of regulations that result in huge fines and penalties for any merchant that must be compliant but fails to meet the requirements.  

Who Needs to Be PCI Compliant? 

Any organization that accepts, handles, stores, or transmits cardholder data must be PCI compliant. The size of the business and the number of transactions does not exempt a company from being compliant. Cardholder data includes debit, credit, and prepaid cards used by customers. Further, businesses still need to maintain compliance regardless of where and how they accept card data (e.g., in-store, online, over the phone, or on an app). If a business uses a third-party provider to process card payments, the company still needs to be compliant. While working with a third party may reduce risk exposure, it does not exclude the merchant from achieving compliance. 

Why Is It Important to Be PCI Compliant? 

For businesses handling cardholder data, there are various reasons why it’s important to be PCI compliant. For example, this set of regulations helps prevent customers’ card details from being compromised in a data breach. Cardholder data consists of a cardholder’s name, the expiration date, and service code, all containing valuable customer information that hackers want to gain access to. When merchants prioritize protecting and securing their customers’ payment details, this will also help their businesses appear trustworthy and professional. Furthermore, a secure checkout process will improve the overall customer satisfaction experience, leading to repeat, loyal customers and driving revenue.  

What Happens If I’m Not PCI Compliant? 

On the other hand, a merchant that fails to achieve or maintain compliance can face serious legal, financial, security, and reputational consequences. If a business that accepts payments is not compliant, they need to be prepared for possible data breaches, which can compromise their customers’ sensitive data. These data breaches have several devastating impacts, such as harming customers, losing their customers’ trust, being sued, and even going out of business. A recent report by IBM and the Ponemon Institute found that the average cost of a data breach in 2021 is $4.24 million, which is 10% higher than the 2019 average cost of $3.86 million. Indeed, a data breach could wreak havoc on small to medium businesses. 

Additionally, card brands may issue monthly fines of anywhere from $5,000 to $100,000 for businesses that violate compliance regulations. These fines will be based on the merchant’s transaction volume, the number of PCI DSS violations, and the specific card brand issuing the penalty. While these penalties are first sent to acquiring banks (merchant banks), these fines will likely be passed on until it reaches the merchant. Furthermore, the acquiring bank may charge higher transaction fees, revoke the right to accept card payments, or even terminate the merchant’s account due to not being compliant. Indeed, it’s recommended to achieve PCI compliance, whether businesses partner with a compliant provider or achieve compliance independently. 

How Do I Achieve Compliance?  

Did you know it can take weeks, months, and even years to achieve PCI compliance? Several ongoing tasks are required to maintain compliance, including submitting the necessary application, paying for the costly process, and receiving regular audits to ensure your business is still compliant. This may explain why most merchants work with a reputable company that covers their PCI 1 compliance standards requirements. The PCI Level 1 compliance standards are the highest PCI level and have the strictest requirements, which gives merchants peace of mind that their compliance needs are met and that their customers’ sensitive data is protected against theft.  

How TokenEx Can Help You Achieve PCI Compliance 

To achieve a holistic security solution, it’s recommended that merchants implement several layers into their existing environments, such as network segmentation, encryption, and tokenization. In particular, tokenization effectively reduces compliance scope, risk, and simplifies PCI compliance. This security method also helps optimize your data’s business utility, agility, and flexibility.  

If you are considering tokenization, cloud tokenization is an excellent way to capture card data before it reaches your internal environment and then stores it in a secure cloud server offsite. Using tokenization helps businesses save money by eliminating the need to pay for hardware, software, and internal systems necessary to perform network segmentation. Tokenization also increases security by making data inaccessible to cybercriminals. For example, hackers will only be left with randomly generated tokens that represent no real card value if a breach occurs. Storing your customers’ cardholder data outside of your environment removes the systems that previously stored that data from scope. Indeed, tokenization helps simplify the compliance process and shifts most of the responsibility of validation to our PCI compliance and security experts at TokenEx

 

Want to learn more about PCI Compliance? 

 

PCI DSS Compliance Guide Ebook CTA

Topic(s): compliance