5 things you need to know about PCI DSS

If your business transmits or processes card payments through an online payment gateway, you must follow PCI DSS – Payment Card Industry Data Security Standard – regulations. These compliance rules have been in place since 2006, but there is still a level of complexity associated with them that gives rise to various FAQs. From the perspective of a payment processing business owner, the following blog addresses all empirical and subjective concerns that you, as a payment service provider or user, may have about PCI DSS.

What is PCI DSS Compliance?

PCI DSS is essentially a set of security standards that apply to any business or service provider that accepts credit cards. It was a major credit card company initiative to safeguard sensitive customer information. The Payment Card Industry or PCI was created with this goal in mind, whereas DSS is a protocol that every merchant is required to follow in order to protect the said data. To comply with these rules, both technical and operational requirements must be met, and it is not an optional exercise.

Noncompliance with PCI DSS regulations can result in severe penalties for activities such as card replacements, or your company may be subjected to regular audits by card providers. Furthermore, it generally harms a company's reputation and may cause customers to lose trust in the company. PCI DSS is thus a prescription rather than a suggestion, and any business that provides payment services must adhere to it.

PCI DSS is a status and not an event

Compliance is not a certificate or a task that can be completed once and for all. It is critical for a company to maintain its service standards and follow these rules in order to validate compliance on an annual basis. The official validation also evaluates your performance throughout the year, essentially not allowing you to relax at any point. Furthermore, compliance must be in accordance with all of the PCI DSS controls. There cannot be a compensatory control or an exemption based on low risk in a specific area on a case-by-case basis. The PCI standards do not, in essence, allow for negotiation.

Finding a qualified QSA

It is critical that you hire a QSA – Qualified Security Assessor – to audit your PCI DSS compliance practices. It is best to visit the PCI DSS (Security Standards Council) website and select an approved assessor, scanner, or forensic investigator. A QSA assists you in completing the compliance process, which includes, among other things, the completion of a self-assessment questionnaire (SAQ) and the completion of attestation of compliance (AOC).

Third-Party payment processors must adhere to the compliance as well

As a business owner, you must ensure that any payment service provider or payment processor with whom you have a contractual relationship is PCI DSS compliant. This should not be a claim on the part of the party, but rather a legal requirement. There must be clear evidence that the service providers are adhering to the PCI standards.

It is not a specific law and is ever-evolving in nature

In most jurisdictions, the PCI DSS is not necessarily enforced as federal law. It is, instead, a standard established as part of contractual obligations by individual payment systems when they enter into agreements with payment card processing service providers.

The positive aspect of PCI standards is that they change or evolve at a reasonable rate over time. It is usually unnecessary for a business owner to be concerned about a sudden dramatic shift, but as previously stated, it is highly recommended to have regular compliance as part of your processes.

Special regulations depending on the size of your business usability of data stored

It is critical to note that even after becoming PCI DSS compliant, a payment processing company or organization can only store data that is required. Masking PAN numbers or removing irrelevant card data to reduce errors is a common practice and a requirement in many places, despite appropriate defenses.

Merchants must also comply with different PCI requirements depending on their level.

Level 1 merchants process more than 6 million transactions per year and are required to undergo a network scan by an Approved Scanning Vendor as well as an Annual Report by a Qualified Security Assessor. There are additional requirements for an internal test as well as penetration tests.

A million to six million transactions are processed by Level 2 merchants each year. They are subject to the same requirements as level 1 merchants, as well as an annual self-assessment quiz.

Level 3 merchants handle between 20,000 and a million transactions per year.

Level 4 merchants handle fewer than 20,000 transactions per year. Both are expected to perform an annual SAQ, a quarterly network scan, and to meet certain additional requirements similar to level 2 merchants.

Additional changes, such as multi-level authentication and Designated Entities Supplemental Validation (DESV) criteria, are required for service providers to implement. The 3DS2 multi-factor authentication protocol is an example of the former. In addition to the primary account number, 3DS2 entails the provision of additional personal information such as a customer's profession or a fact about them. 3DS2's primary goal is to reduce friction during the checkout process. These protocols also include requirements that are unique to them, making payment service providers more accountable for data security.

We are a PCI DSS compliant organization. If you are a merchant or a payment service provider looking for a compliant partner, please contact us.

Finally, PCI DSS compliance is a status that instills a great deal of trust in your clients and customers because it guarantees a high level of service and, more importantly, data security. Although the processes involved may appear to be complicated, they ensure that your company maintains a good reputation. It is also strongly advised to seek the advice of a qualified QSA for compliance, who can address any specific concerns or issues that may arise.