All entities that process, store or transmit cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate from the card brands. While PCI compliance levels vary, compliance is mandatory for any business that accepts credit card payments.
PCI offers a tangible framework for merchants to identify and address payment card data threats and vulnerabilities that could lead to a breach. It holds merchants accountable for securing their business environment and for business policies (or lack thereof) and employees’ actions that lead to a data breach.
The PCI council isn’t equipped to check into every business to make sure PCI regulations are being met, but the consequences of non-compliance can be grave. If a breach occurs and it’s determined that the business was not compliant at that moment, it will face hefty fines and fees as well as reputational damage and customer attrition.
PCI compliance requirements
There are 12 over-arching requirements for PCI compliance:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The PCI compliance levels
There are four levels, or tiers, of PCI compliance that merchants are organized under based upon their card transaction volume (credit, debit, and prepaid) over a 12-month period. If a merchant suffers a breach that results in account data compromise, they may be escalated to a higher level of compliance.