PCI DSS (Payment Card Industry Data Security Standard) is a set of standards designed to ensure that credit card information remains safe and is captured, transmitted, and stored in a safe and secure way.
In other words, it is a set of rules to reduce the risk of fraudsters, hackers, and thieves from stealing sensitive credit card information.
Who does it apply to?
PCI compliance applies to all businesses accepting credit and debit card payments, regardless of their size or their nature. Even small merchants using a mobile app on the weekend are required to meet PCI standards. PCI is the world's largest security standard, as it applies to millions of merchants, processors, ATM companies, and other service providers world-wide.
Who sets the standard and who enforces it?
The Payment Card Industry Security Standards Council (PCI SSC) is the governing body that sets and updates the standard. It was created in 2006 by the major card brands, including Visa, Mastercard, Discover, and American Express in order to have a universal set of rules. The card brands are the ones that enforce the standard, requiring processors to be compliant, validate their merchants, and impose fines if a breach occurs because of non-compliance.
Why do I have to be compliant?
To avoid getting breached and losing credit card numbers. Fines imposed by the card brands in the event of a breach can be extremely costly to your business. In this digital age, all businesses should want to protect themselves. By being compliant you also gain access to extended breach coverage. Prepare your business for compliance by visiting the PCI Security Standards Council or speaking to your payment processor.
My provider is compliant, does that mean I’m compliant?
The short answer is no. It is required for all payment service providers to be PCI-DSS Level 1 compliant, but merchants are still responsible for the security scope of their own business environment. A virus-infected computer or a dishonest staff member is all it could take to have someone steal credit card numbers from your business. We recommend that merchants use as many compliant services as possible that help shift that scope of responsibility. These include using your provider’s credit card vault, using card readers and terminals that offer end-to-end encryption (E2EE), using hosted payment pages and .js payment plugins, and whatever other tools are available to shift your PCI liability over to your service provider. But even with a reduced security scope, merchants must still complete a basic self-assessment questionnaire (SAQ) once per year, attesting their compliance on this final scope.
Becoming PCI Compliant
Most payment processors provide a pathway for their merchants to become PCI compliant. Often, this involves giving their merchants login access to a third-party PCI manager portal, allowing them to complete a once-per-year self-assessment questionnaire (SAQ) and receive their PCI certificate.
However, some payment processors have chosen to turn a blind eye to the compliance of their merchants. This is especially common with some of the payment facilitators who deal with smaller merchants. The down-side of this approach can be severe to the merchants. In the event of a breach – such as the merchant’s computer being stolen and credit card numbers are lost, or a dishonest staff member of the merchant’s steals credit card number - no protection is offered to the merchant.
Helping small businesses become PCI compliant can be somewhat cumbersome and expensive, which is likely why some processors prefer to ignore it. But the consequences of not being compliant ultimately fall on the merchant. Choosing a processor that is willing to help you become PCI compliant will ultimately put your business in a safer place.
PCI Compliance and Non-Compliance Fees
Fees related to PCI compliance are entirely determined by the payment provider that you choose. The card brands (Visa, Mastercard, etc.) do not impose any monthly or annual PCI-related fees (outside of the actual final penalties in the event of a breach).
PCI Compliance Fee (with a PCI Program)
Some processors choose to charge merchants for access to their PCI compliance program. This is usually in the form of a monthly, quarterly, or annual PCI compliance fee. Other processors may provide this service without charging additional fees to the merchant.
PCI Compliance Fee (without a PCI Program)
Some processors charge a PCI compliance fee, but without access any kind of PCI compliance program or portal. This is unfortunately quite common and creates a false sense of security with merchants thinking that paying the fee has made them compliant. Any processors charging for a fee for a service without actually delivering that service should be viewed as highly suspect in their billing practices.
PCI Non-Compliance Fee
To encourage merchants to complete their annual PCI compliance requirements, some processors charge a non compliance fee or penalty, usually after 90 days of non-compliance. Merchants need to complete their self assessment questionnaire to avoid this fee. While unpleasant, this fee is often used as a motivator to increase PCI compliance and the overall security of merchants.