Breadcrumb

What Is PCI DSS?

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedNov 20212 min read

From basement start-up to international corporation, if a business accepts credit card payments it needs to follow PCI DSS requirements. They may seem complex on the surface, but we’ll start with the very basics in this guide: what does PCI DSS stand for, what is PCI DSS, and how does all this apply to your business?

What does PCI DSS stand for?

PCI DSS stands for Payment Card Industry Data Security Standard. This global standard spells out a list of requirements for organizations to securely handle cardholder information. It was put into place and maintained by five major credit card companies:

American Express
Discover
MasterCard
Visa
JCB

This unified standard changes the way businesses accept, store, process, and transmit sensitive financial data. The PCI DSS meaning, and goal, is to prevent fraud, ward off data breaches, and make credit card processing more secure overall.

Do you need to worry about PCI DSS compliance?

What type of businesses does the PCI DSS definition apply to? If you handle credit cards at any point, you’ll need to understand this standard. PCI compliance applies to sellers at every level, as well as service providers, banks, and nonprofit organizations that handle credit card payments.

One thing to note is that the PCI DSS compliance requirements will differ according to your processing volume. Those who process the highest volume of transactions will need to have more comprehensive safeguards in place, including internal security assessors and scan vendors. There are four levels included under the PCI DSS definition:

Level 1: 6 million (or more) annual transactions
Level 2: 1 to 6 million annual transactions
Level 3: 20,000 to 1 million annual transactions
Level 4: Under 20,000 annual transactions

If you never handle payment data, you don’t need to worry about the PCI DSS meaning and compliance. For example, if you use a third-party payment gateway, the gateway would be responsible for PCI compliance. This is because they are the party handling cardholder data.

Requirements for PCI DSS compliance

PCI regulations are broken down into 12 key points:

Use and maintain firewalls: Firewalls protect outside entities from accessing cardholder data, providing a first line of defense.
Use password protection: Your business should secure all products and systems with unique passwords. These should also be changed regularly.
Protect cardholder data: Use tools including encryption keys to protect cardholder data.
Protect transmitted data: Use encryption when transmitting cardholder data across any channels.
Install anti-virus software: This should be installed on all devices interacting with cardholder data and regularly maintained.
Update software: Stay on top of all required software updates to be sure that security features are up to date.
Restrict access to data: Only necessary staff and relevant third parties should have access to cardholder data.
Use unique IDs for access: For those who do require access to cardholder data, issue individual logins and passwords for added security.
Hold data in a secure location: Restrict physical access to sensitive financial details by locking it away in a secure area of the business.
Log all access: Create an access log where any interaction with cardholder data is written down with a detailed entry.
Test your systems: Businesses should continually be scanning their systems for any vulnerable areas that need improvement.
Document your policies: All employees should have access to clear documentation outlining PCI DSS procedures.

The penalties for non-compliance

PCI compliance isn’t law, but there are strict penalties for businesses that don’t adequately comply. Credit card brands can impose hefty fines on businesses found to violate these regulations. Banks and payment processors might also stop working with your business, because they don’t want to assume the liability of a security breach.

In addition to monetary fines and audits, a brand can suffer significant damage when data breaches occur. Customers will lose trust in your business and its ability to keep their financial details safe, which translates into lost revenue.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.