While consumers are focused on protecting their credit cards from fraud, retailers and credit card companies are busy maintaining their PCI Compliance standards so that consumers stay protected. PCI DSS Compliance Standards (which stands for Payment Card Industry Data Security Standards) ensure that retailers safely and securely accept, store, process, and transmit cardholder data during credit card transactions to prevent fraud and data breaches.
The problem? Thanks to ever-evolving security threats and hacks, PCI compliance is a moving target. Here are ten things you should know about maintaining PCI Compliance standards.
1. Visa and Friends Made It Happen
PCI DSS was created in 2006 when internet use drove payment processing systems online. Unfortunately, many of the payment processing systems and networks being used at the time were not always secure. This led to an increase in data breaches and data theft. As a result, the five largest credit card brands – Visa, MasterCard, Discover, American Express and JCB implemented PCI DSS. The PCI Security Standards Council was then formed as an independent body to monitor threats and create enhanced standards that improved the retail industry’s ability to address those threats.
The standards are a set of 12 specific requirements that cover six different goals. These goals state that retailers need to be secure and it tells them how to become secure. The requirements address building and maintaining a secure network, protecting cardholder data and regularly monitoring and testing networks.
While retailers do not need to be certified, they are required to become compliant and be able to prove that compliance.
2. Any Retailer Accepting Credit Cards Must Be PCI Compliant
Any retailer with a merchant ID that accepts credits cards must follow PCI Compliance regulations to protect customers from data breaches and data theft. Requirements can range from security policies to the removal of cardholder data from payment processing systems.
3. There Are Four Levels of PCI Compliance
Each level has unique requirements for a retailer to be compliant. Levels are determined based on a company’s annual total transaction volume. The higher the annual number of credit cards transactions processed per year, the more stringent the compliance requirements for that retailer.
Retailers that process fewer than 20,000 e-commerce transactions per year and less than 1M in-store transactions have the least stringent requirements. Retailers that process more than 6M transactions per year or have been designated as a Level 1 merchant by a credit card association have the most stringent requirements.
4. Non-Compliance Is Expensive
Retailers that do not comply with PCI standards could be at risk for data breaches, data theft, fines, card replacement costs, expensive forensic audits and investigations into their business, brand damage, and more. The biggest penalty of course, will be the permanent loss of customers due to a data breach and/or theft.
5. But Staying Compliant Ain’t Cheap
PCI compliance can be very expensive, time-consuming and does not guarantee future compliance. The cost of compliance can range from approximately $1,000 annually to over $50,000 annually, depending on the size of the retailer.
6. PCI Compliance Is A Moving Target
Retailers that experienced breaches were most often not compliant at the time of the breach. Every new potential weakness identified in payment processing systems creates the need for a new security patch to be installed in all payment system equipment.
A retailer can start the day as 100% complaint then fail to install the latest security patch and boom: end the day as non-compliant. It is the responsibility of the retailer to maintain their compliance by installing all security patches, ensuring the payment processing systems are secure and that 100% compliance is maintained at all times.
7. PCI Compliance Standards Are Crystal Clear
Many compliance standards are vague, too verbose or poorly written. PCI Compliance is very detailed and written so that very little is left to interpretation. That means no excuses.
8. PCI Compliance Is Decreasing
According to the 2018 ControlScan/MAC Acquiring Trends Survey, 38 percent of respondents tracking portfolio compliance rates either saw compliance rates decrease or remain the same in 2017. Many retailers who were once compliant, have become non-compliant over time.
9. Retailers Are Not Revalidating
Also, according to the report, 67 percent of those who saw a decreased portfolio compliance rate in the last year said their retailers were initially compliant but did not revalidate their compliance.
This is most likely because the retailers are unaware of the need to revalidate or do not want to go through the process again. Additionally, one-third of the retailers from the 2018 survey blamed falling compliance rates on increasing requirements.
10. You Can Get Help to Maintain Your PCI Compliance
There are many qualified consultants that can help retailers to become compliant and maintain that compliance quickly and efficiently with minimal disruptions or inconvenience for their customers.
Obtaining and keeping PCI Compliance doesn’t have to be an impossible task, but you should stay current on security threats, necessary patches, necessary responses, and your company’s own data security standards.