Who Needs to Be PCI Compliant?

Around the world, merchants have quickly realized that card payments are the preferred method for customers to purchase products and services. 80% of customers prefer to use a card, while only 14% would rather use cash. Card payments include debit, credit, and prepaid cards, which are convenient, safe, and fast payment methods. If you are a merchant or payment service provider (PSP) that handles, processes, stores, or transmits card payment data, you must maintain PCI compliance. While you have likely heard of this term, you may not know what it means, who needs to be compliant, why it’s essential, and what happens if you fail to comply. This article will shed some light on these topics to help you better understand everything you need to know about the complex world of PCI compliance. 

What Is PCI Compliance? 

Payment Card Industry Data Security Standard (PCI DSS) refers to a set of security standards to ensure companies that accept, process, store, or transmit card information maintain a secure environment and protect customers’ sensitive information from cyberattacks like breaches, credit card fraud, and identity theft. PCI DSS was established by the five major card brands, including American Express, Discover, MasterCard, JCB, and Visa. These top card brands established rules that require organizations to meet 12 general data security requirements and more than 200 sub-requirements.

Additionally, the specific compliance requirements will depend on the type of business. However, the following are general requirements that all merchants must meet, no matter the size or volume of annual card transactions. 

The 12 PCI DSS Requirements for All Merchants 

In addition to these general requirements, there are four different compliance levels that come with other requirements. The type of compliance level a merchant will need is based on their annual transaction volume. Typically, merchants under level 4 process the lowest amount of transactions every year ($20,000), while merchants under level 1 process the highest (more than 6 million transactions a year). Businesses may also need to complete multiple Self Assessment Questionnaires (SAQ) depending on how they process, store, or transmit card information.

Additionally, merchants should check to be sure they’re up to date with the new requirements of PCI DSS 4.0. All merchants are required to meet the updated standards, which include stronger authenication requirements and data encryption applications.

Is PCI Compliance Required by Law?

It’s important to note that while PCI DSS is not a law, this is a globally used set of regulations that result in huge fines and penalties for any merchant that must be compliant but fails to meet the requirements.  Penalties can range from $5,000 to $100,000 a month based on the size and scope of the issue. These fines exist whether or not compliance issues end in a data breach. However, it is worth noting that data breaches are more likely when a company is not PCI compliant and these data breaches can end in legal action from those affected.

Who Needs to Be PCI Compliant? 

Any organization that accepts, handles, stores, or transmits cardholder data must be PCI compliant. The size of the business and the number of transactions does not exempt a company from being compliant. Cardholder data includes debit, credit, and prepaid cards used by customers. Further, businesses still need to maintain compliance regardless of where and how they accept card data (e.g., in-store, online, over the phone, or on an app). If a business uses a third-party provider to process card payments, the company still needs to be compliant. While working with a third party may reduce risk exposure, it does not exclude the merchant from achieving compliance. 

Why Is It Important to Be PCI Compliant? 

For businesses handling cardholder data, there are various reasons why it’s important to be PCI compliant. For example, this set of regulations helps prevent customers’ card details from being compromised in a data breach. Cardholder data consists of a cardholder’s name, expiration date, and service code, all containing valuable customer information that hackers want to gain access to. When merchants prioritize protecting and securing their customers’ payment details, this will also help their businesses appear trustworthy and professional. Furthermore, a secure checkout process will improve the overall customer satisfaction experience, leading to repeat, loyal customers and driving revenue.  

What Happens If I’m Not PCI Compliant? 

On the other hand, a merchant that fails to achieve or maintain compliance can face serious legal, financial, security, and reputational consequences. If a business that accepts payments is not compliant, they need to be prepared for possible data breaches, which can compromise their customers’ sensitive data. These data breaches have several devastating impacts, such as harming customers, losing their customers’ trust, being sued, and even going out of business. A recent report by IBM and the Ponemon Institute found that the average cost of a data breach in 2021 is $4.24 million, which is 10% higher than the 2019 average cost of $3.86 million. Indeed, a data breach could wreak havoc on small to medium businesses. 

Additionally, card brands may issue monthly fines of anywhere from $5,000 to $100,000 for businesses that violate compliance regulations. These fines will be based on the merchant’s transaction volume, the number of PCI DSS violations, and the specific card brand issuing the penalty. While these penalties are first sent to acquiring banks (merchant banks), these fines will likely be passed on until it reaches the merchant. Furthermore, the acquiring bank may charge higher transaction fees, revoke the right to accept card payments, or even terminate the merchant’s account due to not being compliant. Indeed, it’s recommended to achieve PCI compliance, whether businesses partner with a compliant provider or achieve compliance independently. 

How Do I Achieve Compliance?  

Did you know it can take weeks, months, and even years to achieve PCI compliance? Several ongoing tasks are required to maintain compliance, including submitting the necessary application, paying for the costly process, and receiving regular audits to ensure your business is still compliant. This may explain why most merchants work with a reputable company that covers their PCI 1 compliance standards requirements. The PCI Level 1 compliance standards are the highest PCI level and have the strictest requirements, which gives merchants peace of mind that their compliance needs are met and that their customers’ sensitive data is protected against theft.  

 See how the Oklahoma Turnpike Authority sped up their PCI audit process by 50%, with 80% fewer people involved, by partnering with TokenEx.

How TokenEx Can Help You Achieve PCI Compliance 

Tokenization with TokenEx effectively reduces PCI compliance scope and risk for merchants. This security method can optimize your data’s business utility, agility, and flexibility.  

Tokenization captures card data before it reaches your internal environment and then stores it in a secure cloud server offsite. Storing customers’ cardholder data outside of your company’s internal environment removes the systems that previously stored that data from PCI scope. Tokenization helps simplify the compliance process and shifts most of the PCI compliance responsibilities to the security experts at TokenEx.