PCI DSS Compliance – is it a requirement?

August 9, 2021

PCI DSS Compliance – is it a requirement?

What does PCI DSS compliance mean?

Payment Card Industry Data Security Standard compliance is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment when processing credit card payments.

What is PCI SSC?

The Payment Card Industry Security Standards Council (PCI SSC) is a global forum originally formed by payment brands Visa, Mastercard, American Express, Diners and JCB International. It was created to manage the evolution of PCI DSS.

Who must be PCI DSS compliant?

PCI DSS applies to all entities that process, store and/or transmit cardholder data. It covers technical and operational system components included in or connected with cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with PCI DSS.

The 12 PCI DSS Requirements

The 12 strong access control requirements of PCI DSS are:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use software vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software or programmes.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

 

How do you comply with PCI DSS?

You must ensure that you meet all 12 requirements as stated above as well as following the steps below:

  1. Remove sensitive authentication data and limit data retention.
  2. Protect network systems and be prepared to respond to a system breach.
  3. Secure payment card applications.
  4. Monitor and control access to your systems.
  5. Protect stored cardholder data if you are allowed to store them.
  6. Finalise compliance process and ensure all controls are in place.

Do I have to pay for PCI DSS compliance?

If you are a merchant who is processing transactions, you are required to be PCI DSS compliant. Some acquiring banks do charge a PCI DSS compliance fee and some do not.

However, if you process transactions through the Cardstream gateway, it is fully PCI DSS level 1 Compliant. This means that if you use our hosted solutions, we are ensuring the merchant remains PCI DSS compliant, so it takes the inconvenience out of having to pay extra fees.

 

What if you are not PCI DSS compliant?

Non-compliance and compromising of the cardholders’ security data can lead to adverse consequences, including monthly penalties; data breaches; legal action; damaged reputation; and revenue loss.

The benefits behind being PCI DSS compliant

1. Prevention of data and security breaches

PCI DSS compliance requires multiple layers of security through accurately configured firewalls and a continuously evolving IT security strategy based on threat monitoring and systems updates. Cardstream handles these for its Partners and merchants.

2. Reduction in fraud risk

Due to stringent data management and compliance measures, PCI DSS compliant businesses such as Cardstream are a less inviting target for suspicious and fraudulent activity by cyber criminals and other malicious individuals.

3. Building trust

Ecommerce is built on a foundation of trust. Your customers trust that you will securely transmit and process their sensitive cardholder information in compliance with PCI DSS standards. Meeting the international standards for secure network payments is an important way of building and protecting your reputation, one of your business’s most valuable assets.

4. Helps meet global standard

The PCI DSS regulations were initiated by five of the world’s leading credit organisations (as mentioned above) in order to provide a mandatory level of protection for consumers by ensuring that merchants meet minimum levels of security when they process, store, and transmit cardholder data. Achieving PCI DSS compliance allows you to take your place among other international retailers and businesses who are committed to data security and protecting consumers.

PCI FAQs

I’m a small business owner with only a small volume of transactions – is PCI DSS compliance necessary?

Every business needs to be PCI DSS compliant. Anyone processing a transaction needs to be PCI DSS compliant.

Am I responsible for a PCI DSS Self-Assessment Questionnaire (SAQ)?

Yes, depending on the size of your business you are responsible for ensuring your own PCI compliance by filling out a PCI DSS Self-Assessment Questionnaire.

What are the PCI DSS compliance levels and requirements?

  • Level 1: Merchants that process over 6 million card transactions annually. Cardstream is Level 1 PCI compliant.
  • Level 2: Merchants that process 1 to 6 million transactions annually.
  • Level 3: Merchants that process 20,000 to 1 million transactions annually.
  • Level 4: Merchants that process fewer than 20,000 transactions annually.

To find out more about the different levels of PCI DSS compliance, click here to read our next blog on the topic.

Do organisations using third-party payment processors have to be PCI DSS compliant?

It is advisable to be PCI DSS compliant as it means transactions are more secure and cost efficient. If you haven’t proved you are PCI DSS compliant through an SAQ or audit, you are likely to be charged a non-compliance fee by your acquiring bank.

For more information about PCI DSS, contact solutions@cardstream.com