Is PCI Compliance Mandatory?

The PCI DSS must be implemented by all entities that process, store, or transmit cardholder data issued by the five major card brands comprising the PCI SSC. Although compliance with the PCI DSS is not required by law, organizations could potentially experience fines and penalties from the PCI SSC as a response for noncompliance.

What Happens if You Do Not Meet PCI Compliance?

If you want to be able to conduct business by accepting physical, mobile, or online payments from the major card brands, then you need to make sure you are compliant with the PCI DSS. If a breach or event involving data exposure were to occur and an entity was found not to be PCI compliant, that organization would be subject to fines and, in more extreme cases, potentially no longer allowed to accept payments from cards issued by the major brands. Again, PCI security compliance is not mandatory from a legal standpoint, but if the PCI SSC finds an entity to be noncompliant with the PCI DSS, it can severely fine and penalize that organization for violations.

What is PCI Compliance Certification?

Entities are able to certify their PCI compliance once all of the requirements and controls specific to their compliance level are met and validated. There are four PCI DSS compliance levels, and the level an entity belongs to depends on the number of transactions it is conducting per year.

• Compliance level 1 applies to entities processing more than 6 million real-world credit or debit transactions annually. To certify their PCI compliance, level 1 organizations must undergo an annual PCI assessment, which must be conducted by an authorized PCI auditor (called a Qualified Security Assessor, or QSA). In addition, they must submit to an external vulnerability scan by an Approved Scanning Vendor (ASV) once per quarter.

• Compliance level 2 applies to entities processing between 1 million and 6 million real-world credit or debit transactions annually. To certify their PCI compliance, level 2 organizations must complete an annual PCI assessment using a Self-Assessment Questionnaire (SAQ). In addition, a quarterly external vulnerability scan could be required.

• Compliance level 3 applies to entities processing between 20,000 and 1 million ecommerce transactions annually. To certify PCI compliance certification, level 3 organizations must complete a yearly PCI assessment using the relevant SAQ. In addition, a quarterly external vulnerability scan could be required.

• Compliance level 4 applies to entities processing less than 20,000 ecommerce transactions annually or those that process up to 1 million real-world transactions. To certify PCI compliance, level 4 organizations must complete a yearly PCI assessment using the relevant SAQ. In addition, an annual external vulnerability scan could be required.

It is easy to see how the many controls and potential penalties associated with the PCI compliance process can contribute to stress and uncertainty for any number of businesses. The cost and complexity of maintaining compliance—combined with the effort and expertise required to support and validate it—can be burdensome for even the most advanced organizations.

Unfortunately, when it comes to PCI compliance, there is no single PCI compliance solution that can handle or maintain all the necessary PCI DSS services for an organization in full. It takes a significant amount of time and effort even with the assistance of some PCI DSS compliance software and tools designed to simplify the process.

However, there are a number of solutions that can help streamline the PCI compliance process. We believe one of the best techniques to make compliance easier is to use tokenization to reduce the amount of cardholder data entering your environment.

By utilizing tokenization, you entirely remove the sensitive credit card or debit card data from your internal systems, which drastically reduces your scope of compliance while preserving certain aspects of the original data for use in analytics and other crucial business processes and reporting. These benefits can decrease the cost and complexity of compliance without restricting or otherwise adversely affecting operations.

For a more detailed look at the ins and outs of tokenization and how it can help businesses protect their data and achieve operational success, download our “How to Choose a Tokenization Solution” ebook or view our blog now.