PCI DSS compliance is crucial when taking card payments. From global behemoths to tiny food stalls, every merchant that accepts credit card payments (offline and online) is required to comply with PCI DSS requirements. Designed to reduce the “attack surface” of e-commerce websites – the total number of points through which attackers can enter – they play an important role in safeguarding payment security. Read on to find out more about PCI assessment requirements and see the PCI compliance checklist.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standards. They are a set of general practices – governed by the major credit card companies – intended to ensure cardholder information is transmitted, stored, and handled securely. They set out the technical and operational requirements for any organisation that accepts or processes payment transactions, as well as manufacturers and developers involved in the production of devices or applications that are used in these transactions.
Do I need to worry about PCI requirements?
If you’ve ever explored PCI, you’ll know how difficult it is to get a handle on the scope of PCI DSS requirements. However, it’s relatively easy to work out what you need to do. Simply put, adherence to PCI requirements is not dictated by the volume of transactions; if you take card payments or financial information is entered on, stored on, or passes through your site, compliance is mandatory.
On the other hand, you don’t need to worry about adhering to PCI DSS requirements if your site never comes into contact with payment data at any point (i.e. your customers are directed to your payment service provider or payment gateway) or your customers make payments using iFrame (i.e. your customer’s payment details go directly to your payment service provider or payment gateway).
It’s also important to note that the specific PCI assessment requirements you need to meet are determined by the size of your business:
Level 1 – 6 million+ transactions per year
Level 2 – 1 to 6 million transactions per year
Level 3 – 20,000 to 1 million transactions per year
Level 4 – Less than 20,000 transactions per year
Why is PCI compliance important?
Data security is non-negotiable for e-commerce companies. If you’re asking customers to input their financial information on your website, they need to be able to trust you. Data breaches can destroy that trust and could pose a real threat to the continued success of your business. Over the past few years, the number of data breaches in the United Kingdom has risen substantially. Almost one third (32%) of businesses and two out of every 10 (22%) charities experienced a data breach or attack in 2019, according to the government’s Cyber Security Breaches Survey 2019. Bottom line? This isn’t a theoretical issue – it happens to companies just like yours every day, making adherence to PCI DSS requirements extremely important.
What happens if you fall out of compliance?
While PCI DSS is not a law, it is enforced by contracts between merchants, banks, and payment brands. There are a number of potential consequences that can result from non-compliance with PCI assessment requirements, including:
Fines – After a breach, non-compliant websites can be forced to pay hefty fines by regulators.
Suspension of credit cards – If you experience a data breach, PCI regulators can revoke your ability to accept credit card payments.
Mandatory forensic examination – You may be required to undergo an expensive and time-consuming forensic examination.
GDPR regulation – Under GDPR, failure to report a breach of personal information within 72 hours can lead to heavy fines.
Liability for charges of fraud – It’s possible that you will be liable in a fraud lawsuit if your customer’s sensitive data has been stolen.
Credit card replacement costs – The cost of reissuing credit cards (including shipping, communication, and activation) may be passed onto you by card issuers.
Notification and credit monitoring – You may be required to inform all customers of a security breach, as well as provide affected customers with credit monitoring services.
Reassessment for PCI compliance – Finally, you may need to undergo a complete PSI reassessment in order to regain the ability to accept credit cards.
PCI Compliance Checklist
There are 12 PCI DSS requirements that are organised into six different control objectives. To get a handle on data security, ensure that you’re covered for every item on this PCI DSS compliance checklist:
Build and Maintain a Secure Network and Systems
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Protect all systems against malware and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Maintain a policy that addresses information security for all personnel
We can help
By using a trusted payments provider like GoCardless, you’ll never need to worry about touching sensitive financial information. Find out how GoCardless can help you with ad hoc payments or recurring payments.