Today’s businesses must accept credit cards to stay competitive in the marketplace. With credit card fraud, identify fraud and stolen data on the rise, maintaining a safe environment for charge card transactions is of the utmost importance. Mishandling this information will lead to customers mistrusting merchants and financial institutions as a whole.

Payment card industry (PCI) compliance helps ensure the security of each one of your business’s credit card transactions. Whether you are a startup or a global enterprise, your business must be compliant with 12 operational and technical requirements to protect your customers’ cardholder data and your reputation as a reliable company. Here’s everything you need to know about PCI compliance and why it matters.

What Is PCI Compliance?

To help mitigate card payment fraud, the PCI Security Standards Council (PCI SSC) launched a set of requirements in 2006 to ensure all companies that process, store or transmit credit card information maintain a secure environment. The SSC provides a comprehensive framework, tools and support resources to help businesses safely accept payment card data.

The standards originally applied to merchant processing, but were later expanded to encrypted internet transactions. Those requirements, known as the Payment Card Industry Data Security Standard (PCI DSS), are the core component of any credit card company’s security protocol.

PCI compliance standards help avoid fraudulent activity and mitigate data breaches by keeping the cardholder’s sensitive financial information secure. Unsecured credit card information is more likely to be hacked. Hackers can then use sensitive information about the cardholder for a multitude of fraudulent activities including identity fraud.


Benefits of PCI Compliance

Getting an organization, especially a small business, up to PCI compliance can be an intimidating task. At first glance, the seemingly endless list of rules and regulations is overwhelming. The benefits of safeguarding cardholder data, however, far outweigh the cost of implementing and maintaining the compliance requirements.

To begin with, PCI compliance is an industry mandate and those without it can be fined for violating agreements and negligence. More importantly, those without it are vulnerable to data breaches that can result in theft or fraud. PCI compliance means that your systems are secure, reducing the chances of data breaches. It only takes one high-profile security breach to cost your customers’ loyalty, sink your reputation as a brand and erode the public’s trust in your ability to keep sensitive credit card information safe. Not only do data breaches have a negative impact on the reputation of the business, but they can also result in lawsuits, insurance claims, canceled accounts, payment card issuer fines and government fines.

PCI compliance also contributes to the safety of the worldwide payment card data security solution. It is an ongoing process that aids in preventing future security breaches. During the first six months of 2020, there were 36 billion records exposed through data breaches. Financial motivation accounted for the vast majority of the breaches. A continual safeguard of cardholder data helps ensure that consumers do not suffer any financial loss.


Requirements for PCI Compliance

PCI compliance standards require merchants to consistently adhere to the PCI Standards Council’s guidelines known as the PCI Data Security Standard (PCI DSS). These guidelines include 78 base requirements, more than 400 test procedures and 12 key requirements:

  1. Install and Maintain Firewall to Protect Cardholder Data: Properly configured firewalls are highly effective at keeping private information secure, which is why the first requirement is that merchants maintain a secure firewall configuration.
  2. Proper Password Protection: Most routers, modems, point-of-sale (POS) systems and other third-party products come with a factory default username and password that are simple to guess or published on the internet. In order to meet the second requirement, businesses must not only change the password settings, but also maintain a list of all devices and software that require a password and change those passwords frequently.
  3. Protect Cardholder Data: This two-fold protection of cardholder data is the most important requirement on the list. Merchants must encrypt cardholder data with certain algorithms, then perform regular scans to ensure no unencrypted data exists.
  4. Encrypt Transmitted Data: Similar to requirement three, merchants must secure cardholder data when it is transmitted over public networks.
  5. Use and Maintain Antivirus Software: Antivirus software is required for all devices, including workstations, laptops and mobile devices, that interact with primary account numbers (PANs). The antivirus software must be updated on a regular basis to detect known malware.
  6. Properly Updated Software: Firewalls, antivirus software, databases, POS terminals and more require constant updates to patch security vulnerabilities. Merchants must limit the potential for exploits by updating systems and applications in a timely manner.
  7. Restrict Data Access: The ability to access cardholder information should be on an exclusively “need to know” basis. Staff members, executives and third parties who do not need access to this data should not have it.
  8. Unique IDs for Access: Each authorized user to computer access must have their own unique user ID and password. This ensures accountability for individuals who are granted access to sensitive data and reduces response time in the event of a data breach.
  9. Restrict Physical Access: Cardholder data must be kept in a physically secure location such as a secured room with a locked cabinet. Access to sensitive data should be limited.
  10. Create and Maintain Access Logs: Log entries are required for all activity involving cardholder data and primary account numbers (PANs). All systems must have a correct audit policy set where logs are continuously reviewed to look for suspicious activities.
  11. Test Security Systems Regularly: All systems and processes must be tested on a frequent basis to ensure that security is maintained and to help identify potential weakness along any point of the security system. Even the best security systems are subject to malfunction, human error or aging vulnerabilities. Continuous testing can find these limitations.
  12. Document Policies: All systems, software and authorized employee logs involving the PCI DSS requirements must be documented.

Frequently Asked Questions

Who must be PCI compliant?

Any company that accepts, transmits or stores a cardholder’s private information.

Who mandates PCI compliance?

The Payment Card Industry Security Standards Council, which is made up of members from five major credit card companies, established rules and regulations known as PCI compliance. The council is responsible for mandating compliance to help ensure the security of credit card transactions in the payments industry.

Is PCI compliance required by law?

While there is not necessarily a regulatory mandate for PCI compliance by law, the Federal Trade Commission (FTC) is responsible for credit card processing, as it falls under the need for consumer protections. The FTC does mandate parts of PCI compliance protocols through court precedent in order to stop unfair, deceptive or fraudulent practices in the marketplace.

Who has to comply with PCI standards?

According to the PCI SSC, all participating Payment Brand members have PCI compliance programs to protect their users’ payment card account data. These members include American Express, Discover, JCB International, Mastercard, UnionPay and Visa.