The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired.
What Is PCI Compliance?
Credit card companies require Payment Card Industry (PCI) compliance to make sure that transactions are secured. PCI compliance protects cardholder data from breaches and theft. A company is considered compliant if they adhere to the set of requirements and guidelines stated in the PCI Data Security Standards (PCI DSS).
Understanding PCI Compliance
Advancements in payment technology have made transactions more convenient. However, they come with risks and challenges. Now more than ever, the importance of safety and security are highlighted, especially for business entities handling customer information and data.
That is why the PCI SSC, a global forum composed of payment industry stakeholders, created the PCI DSS, a set of security standards and requirements that help the payment card industry protect data against possible breaches and theft. PCI compliance refers to adherence to the PCI DSS.
12 Requirements of PCI DSS
The PCI SSC developed the PCI DSS to help provide secured credit cards to customers. An organization is PCI compliant if it meets the standards set by the PCI DSS. Generally, organizations have to fulfill 12 requirements. MoneyGeek breaks down each requirement to help you better understand what PCI compliance is.
Install and maintain a firewall configuration to protect cardholder data
The first requirement is to protect systems with firewalls. Firewalls refer to devices controlling computer traffic. They examine traffic between the organization's network (internal) and an untrusted network (external) to determine what transmissions to block based on the rules and criteria the organization has configured. For a better first line of defense, it would be best to install both software and hardware firewalls.
Do not use vendor-supplied defaults for system passwords and other security parameters
It is important for organizations not to use vendor-supplied default passwords and settings. These include usernames and passwords provided as factory settings. It is easy for malicious parties to access and compromise systems using these default passwords. Organizations should also avoid easy-to-crack or easy-to-find passwords.
When installing a system on your network, make sure you remove all unnecessary default accounts. Conduct an inventory and configure all security settings on your systems.
Protect stored cardholder data
Organizations should encrypt stored cardholder data using an industry-accepted algorithm. Encrypted data will remain unreadable and unusable even if an intruder gains access to them, as long as they do not have the right cryptographic keys. Aside from encryption, organizations should also apply other protection methods like hashing, masking and truncation.
Encrypt transmission of cardholder data across open, public networks
In most cases, primary account numbers (PAN) are sent to backup servers, corporate offices, outsourced systems or infrastructure management. For security purposes, organizations must encrypt sensitive information even during transmission over open and public networks. It is vital to follow industry best practices when it comes to the implementation of encryption for the transmission and authentication of data.
Use and regularly update anti-virus software or programs
Malicious software programs (malware) are the viruses, worms and Trojans that exploit the vulnerabilities of a system. In most cases, malware enters a network during official business activities. It can happen while an employee is sending an email or browsing online. Some are not aware of malware attacks until it is too late. To prevent this, organizations should make sure that their anti-virus software is always up to date on existing malware threats.
Develop and maintain secure systems and applications
Vulnerabilities in security systems can give access to malicious parties and software. While no application is perfect, manufacturers and vendors provide security patches frequently to address security holes. Organizations must install these updates as soon as possible to prevent hackers from getting through a security hole and exploiting vulnerabilities. Among the critical aspects included are application software, databases, firewalls, internet browsers, operating systems and POS terminals.
Restrict access to cardholder data by business need-to-know
Limit access to critical data. Determine authorized personnel for each system and process. Define the roles of employees, what these roles are for, what data resources they should have access to and their privilege level. Doing this will prevent unauthorized access and ensure that users only have access to data necessary to fulfill their roles.
Assign a unique ID to each person with computer access
The eighth PCI DSS requirement states the need for unique user IDs and passwords. Each user should have a unique ID. This way, each person will be accountable for the actions taken using their account. It is also not advisable to use shared passwords. Systems should have a limit on password attempts to protect data at the point of entry, during transmission and even while in storage. Some companies practice multi-factor authentication for added security.
Restrict physical access to cardholder data
Physical access to cardholder data gives unscrupulous individuals an opportunity to access systems and devices. For instance, some merchants may keep printed copies of customer information with payment card numbers. These files can be targeted by malicious parties for identity theft or other fraudulent activities. Limit physical access and keep these files in secure areas. Staff members should know about physical security policies. Implementing timeout controls on workstations and conducting inspections on all devices will also help.
Track and monitor all access to network resources and cardholder data
Logging mechanisms are important to prevent unauthorized access. It is crucial for organizations to track activities and check system event logs. In doing so, it is easier to prevent, detect and minimize the impact of data breaches. Logs can also send alerts when there is something wrong. Additionally, you can use system activity logs to determine what causes a compromise.
Regularly test security systems and processes
System vulnerabilities can come up anytime. They may be due to defects in browsers, web servers, email, operating systems, POS software or server interfaces. Test processes and software regularly to make sure all security controls are working well, even in changing environments. Organizations can get automated vulnerability scans and penetration tests.
Maintain a policy that addresses information security for all personnel
The last requirement organizations need to fulfill for PCI compliance is to have a strong security policy. Company personnel should know their responsibilities for protecting sensitive data. Keep documentation of everything related to the security measures of the company, such as employee manuals, incident response plans, policies, procedures and third-party agreements.
The twelfth requirement also includes annual formal risk assessments. These will identify assets, threats and weaknesses, allowing companies to prioritize and manage risks.
For a more comprehensive guide on the 12 PCI DSS requirements, you can check the PCI Security Standards Council website. You can also find available program training and qualification courses.
An Overview of the PCI Compliance Levels
Organizations processing payment card transactions across the five major credit card companies — American Express, Mastercard, VISA, Discover and JCB International — must ensure PCI compliance. Generally, there are four levels of compliance. Each level corresponds to the number of transactions a merchant processes in a year across all channels and if a company experienced a cyberattack that compromised cardholder data. A merchant with a high volume of transactions should comply with more stringent standards compared to those with lower volumes of transactions due to higher inherent risks.
Merchants processing more than 6 million payment card transactions a year fall under this category. These include transactions whether the card is present or not. Additionally, merchants who experience data breaches or suffer from successful cyberattacks — both internal and external — will automatically be moved to the Level 1 category.
To maintain compliance, Level 1 merchants need to:
- File an annual Report on Compliance (ROC) through a Qualified Security Assessor, which is an external auditor. If signed by a company officer, an internal auditor can file the ROC. The PCI SSC recommends the internal auditor to have an Internal Security Assessor (ISA) certification.
- Submit a completed Attestation of Compliance (AOC) form.
- Complete and pass quarterly network scans to be conducted by an Approved Scan Vendor (ASV).
Level 2 categorization applies to merchants with between 1 million and 6 million real-world payment card transactions per year across all channels.
For PCI compliance, Level 2 merchants need to:
- Submit an ROC based on a completed Self-Assessment Questionnaire (SAQ)
- Submit an AOC form annually
- Complete and pass quarterly network scans by an ASV
A merchant with transactions across all channels totaling between 20,000 and 1 million falls under Level 3.
Requirements for compliance include the following:
- A complete SAQ
- Submission of an AOC form annually
- Completing and obtaining evidence of passing quarterly vulnerability scans conducted by an ASV
Sellers processing less than 20,000 payment transactions in a year are considered Level 4 merchants.
To ensure PCI compliance, Level 4 merchants should:
- Complete an SAQ every year
- Submit a completed AOC form annually
- Conduct and pass quarterly network scans by an ASV
How to Become PCI Compliant
Being PCI compliant helps companies process payment cards, including debit and credit cards, and store sensitive cardholder information to prevent data security breaches. Organizations dealing with the five major credit card companies should validate PCI compliance quarterly and annually. Depending on the compliance levels, companies have to adhere to different sets of standards and requirements.
That said, here is a simple step-by-step guide to help you get started:
Find out the PCI level of your organization
This will be based on the total number of transactions you processed in a 12-month period. Your PCI level will determine the requirements you need to fulfill to be PCI compliant.
Create a map of systems, connections and data flow
To protect sensitive information, you need to be aware of where it is located and how it moves. Determine the points of transactions, how data is handled within the company and what technologies or systems are involved in the transactions. The company’s IT and security teams should work hand-in-hand for the completion of this step.
Build a secure network and check security protocols
After mapping out data flows and touchpoints, companies need to ensure that the right security protocols and controls are in place. This is where the 12 PCI DSS requirements apply.
Complete an SAQ
The Self-assessment Questionnaire (SAQ) a merchant should use depends on the type of business. SAQs include yes-or-no questions that will help businesses determine whether they meet the PCI DSS requirements. The PCI SSC released guidelines to help merchants figure out which SAQ is applicable.
Submit annual ROC and AOC
To remain PCI compliant, merchants need to submit an Attestation of Compliance (AOC) form every year. This document confirms the result of an assessment based on the SAQ or a compliance report. The Report of Compliance (ROC) for Level 1 merchants should be conducted by a Qualified Security Assessor (QSA). The PCI SSC has a list of QSA companies.
Complete and pass quarterly network scans
It is also crucial for companies to pass their quarterly network scans. These should be conducted by an Approved Scan Vendor (ASV). Merchants can find ASV companies using the PCI SSC website.
Benefits and Potential Setbacks
Some companies may see the 12 compliance requirements as expensive and time-consuming to fulfill. It takes comprehensive planning and preparation. Proper execution is also necessary. However, complying with the PCI DSS comes with multiple benefits, not only for the merchant but also for customers. Additionally, non-compliance comes with repercussions.
Benefits of Compliance & Risks of Non-Compliance
- Prevent security breaches: PCI compliance helps companies strengthen their cybersecurity strategies and reduce the risks of data breaches. More than just a checklist that will tag a company as PCI compliant, the PCI DSS is a proven way to block external attacks.
- Avoid fines: While PCI compliance is not mandated by federal law, some states like Washington, Nevada and Minnesota require it. It may also be required depending on contracts with credit card companies. Additionally, a data and information breach can result in hefty penalties.
- Improve customer confidence: While consumers may not be well-informed about what it takes to be PCI compliant, knowing that security protocols are in place can help boost their confidence in doing business with a merchant.
- Improve brand reputation: Brand reputation can help make or break a company. Maintaining an untarnished reputation is a must to gain customers’ trust. Avoiding data breaches can help with this.
- Global compliance: The PCI DSS is accepted globally as a security framework. That means organizations operating internationally only need to comply with the PCI requirements and they can process card transactions around the world without worrying about different security standards in various countries.
- Provides a baseline security standard: Organizations can use the PCI DSS as a baseline when creating a security program. It can serve as a guide on where to begin and what is necessary to protect cardholder data.
- Peace of mind: Lastly, PCI compliance offers peace of mind. Merchants that follow the guidelines set by the PCI SSC have the assurance that data breaches are less likely to happen to them.
Risks and Consequences of Being Non-compliant
- Face fines and penalties: Credit card companies can mandate PCI compliance. That means non-compliance can result in fines and penalties. The amount will depend on the volume of transactions and clients, how long it has been non-compliant and the PCI compliance level it should be on. Penalties can range from $5,000–$100,000 monthly.
- Data exposure: Not having the necessary security systems and protocols can expose customer data to fraud. Unscrupulous parties target cardholder information to conduct identity theft and other fraudulent activities.
- Possible compensation costs: Non-compliant merchants and organizations may need to compensate clients for identity theft insurance and credit card monitoring. These can result in huge expenses.
- Tarnished brand reputation: If a company experiences data theft and breaches, its reputation will suffer irreversible damage. Consumers will be less likely to trust the company with transactions.
- Revenue loss: A tarnished reputation can lead to fewer sales and lower revenue. Clients may decide to move their business to another company.
- Forensic audits: Upon a security breach, a forensic examiner will conduct an investigation. The organization has to provide compliance documents. If the data breach is due to non-compliance, regulatory bodies can impose penalties.
PCI Compliance FAQs
PCI compliance can be a confusing topic, especially for those who have never gone through it before. MoneyGeek spoke with industry leaders to provide expert insights on the topic.
- What legal repercussions can a company face if there are data breaches due to non-compliance with PCI DSS?
- Can clients request a higher level of compliance than what a company is qualified for? What are the repercussions of doing this?
Founder & CEO of Pillar Wealth Management LLC
COO and Co-founder of Laika
Associate Professor of Computer Science and Challey Scholar at North Dakota State University
MoneyGeek also breaks down other relevant concepts and terms that can help companies better understand PCI compliance in the following pages.
- How Credit Cards Work: This page provides a simple guide to better understand credit cards and how they work. It also discusses credit card security issues.
- The Best Secured Credit Cards for Your Wallet in 2023: This page talks about credit card security and provides tips on how to find the right secured credit card. Additionally, it ranks the top options for secured cards.
- Your Rights as a Credit Card Holder: This page talks about credit card fees and rates, how to handle sudden changes and things that could go wrong. It also includes steps a person should take to solve certain issues.
- Credit Report Security Freeze: On this page, MoneyGeek gives a detailed guide on what an individual has to do if they think they are a victim of identity theft. It also discusses the pros and cons of freezing a credit report.
- Identity Theft Protection Companies: MoneyGeek reviewed the biggest identity theft services and provided tips to help consumers shop for identity theft protection.
- Protect Your Kids from Identity Theft: Children can be vulnerable to identity theft, but parents can take some steps to help protect them. MoneyGeek breaks down the signs of identity theft and provides tips on what to do in the event of suspected identity theft.
About Nathan Paulus
- PCI DSS Guide. "What are PCI Service Provider Compliance Levels." Accessed November 16, 2021.
- PCI Security Standards Council. "Requirements and Security Assessment Procedures." Accessed November 16, 2021.
Editorial Disclosure: Opinions, reviews, analyses and recommendations are the author’s alone and have not been reviewed, endorsed or approved by any bank, credit card issuer, hotel, airline, or other entity. Learn more about our editorial policies and expert editorial team.
Advertiser Disclosure: MoneyGeek has partnered with CardRatings.com and CreditCards.com for our coverage of credit card products. MoneyGeek, CardRatings and CreditCards.com may receive a commission from card issuers. To ensure thorough comparisons and reviews, MoneyGeek features products from both paid partners and unaffiliated card issuers that are not paid partners.