If you’re wondering how to be PCI compliant, you’ve come to the right place. In our complete guide, we’ll walk you through the PCI Data Security Standard and how it can safeguard your business, as well as your customers’ data.
After all, with worldwide card fraud costing over £23/$32 billion in 2020 alone, it certainly pays to protect yourself. Let’s dive in.
To fully understand how to be PCI compliant, it first makes sense to explore the aim behind this security standard’s creation.
First established in 2004, the Payment Card Industry Data Security Standard (PCI DSS) is a set of information security requirements designed for organisations that process major credit card brands.
With the aim of improving the security surrounding cardholder data, the standard reduces the risk of credit card fraud for businesses and customers alike. Since 2006, the PCI standard has been administered by the PCI Security Standards Council, in conjunction with the major card brands responsible for the standard’s creation.
In essence, the PCI DSS is a list of requirements you must undertake to ensure your customers’ cardholder data is safe. To be PCI compliant, you must follow these requirements and record proof of their implementation, earning greater security for you and your customers in turn.
As we’ve seen from the statistics on card fraud above, when it comes to cardholder data, the importance of protecting your customers cannot be understated. Nevertheless, despite the crucial protection that PCI compliance provides, the security standard is not a legal requirement.
Instead, the need to be PCI compliant is mandated by the major card providers. This means that, in return for using their payment services, card brands like Visa, Mastercard, and American Express expect you to follow the PCI’s requirements.
If these requirements aren’t followed, and an organisation is non-compliant, the consequences can be dire.
For instance, non-compliant entities are not only potential targets for a security breach, these organisations are also likely to incur penalties. An example of such a penalty would be the withdrawal of card payment processing capabilities or a fine from your acquiring bank. It could cost you thousands.
What’s more, whilst credit card details may often be categorised as financial data, they also fall under the definition of personal data too. Meaning if you experience a security breach due to non-compliance, you may also face legal proceedings.
If you're an organisation based in the US, this could mean prosecution under state legislature. In the UK, you could come up against the Data Protection Act. In the EU, even a fine under GDPR regulations isn’t unheard of. A recent example of such a penalty in the UK was Currys PC World owner Dixon Carphone, who were fined £500,000 for serious security failings.
There are two necessary factors to be PCI compliant:
With these two factors in mind, let’s break down the twelve requirements of how to be PCI compliant with some examples.
Since the PCI’s inception, there have been twelve requirements for achieving compliance, with each requirement falling under six objectives. The objectives are as follows:
Think of it like this: the above are six major goals that should be completed to achieve greater cardholder data security. The twelve requirements are simply each of these six goals broken down into smaller, more manageable tasks. You must fulfil each of these requirements and record proof of how you do this in order to be PCI compliant.
Unfortunately, there is no one size fits all process when it comes to fulfilling these requirements. A lot depends on the size of your company and existing procedures.
What’s important is that you analyse these requirements against your organisation’s current practices and policies. If you find yourself coming up short, it’s time to develop a plan so you can tick every requirement off the list.
For example, regarding the first of the twelve requirements--installing and maintaining a firewall--you may wish to contact a PCI accredited company that specialises in software or hardware solutions. In contrast, the second requirement of using unique passwords might be more easily implemented by your organisation and your employees instead.
One of the most recent developments in online payment processing is the use of live web chat. Like any other customer contact channel, if you choose to take card payments over live chat, it must be secured against the possibility of a data breach - not only for the sake of PCI compliance, but for you and your customers’ peace of mind.
Like any other payment channel, processing card payments through live web chat falls under the responsibility of the second and fourth objectives outlined by the PCI SSC: protecting cardholder data and implementing strong access control measures.
Organisations that use live web chat to process card payments must ensure their customers’ cardholder data is protected, utilising technologies such as credit card masking to provide a truly safe and secure transaction. It’s features like these that not only help you to be PCI compliant, but also build brand trust too.
It goes without saying that there’s a lot to take into account when it comes to web chat best practices, but nothing is as important as providing a secure experience for your customers.
Let’s take a look at a case study of how to make live chat PCI compliant.
With over a million card payments taken each year, Healthspan is the UK’s leading direct supplier of supplements and vitamins. After updating their website, Healthspan were keen to upgrade their chat capabilities too, assisting their customers in real time with any questions and queries.
As a PCI Level 2 retailer that handles over a million transactions every year, Healthspan needed to ensure their card payment processes complied to the PCI standard. To do so, Healthspan adopted Talkative’s PCI compliant live chat.
Now, any sensitive data customers share with Healthspan is automatically concealed by Talkative’s credit card masking features. This means that customers’ cardholder data never even touches Talkative’s systems and servers, so Healthspan can remain assured that no card data exists within Talkative’s systems at any time. In turn, Healthspan is not only able to be PCI compliant, but they’re also able to further the confidence their customers have in their services.
To find out more on this subject, read the full case study.
Now that we’ve developed an understanding on how to be PCI compliant, next we’ll look at an equally crucial step in the process: proving your organisation is compliant.
While any organisation that takes card payments must comply with the PCI’s requirements, not all organisations need to provide the same level of validation or auditing. In fact, the level of auditing most organisations need won’t even require an onsite visit.
Overall, the PCI DSS categorises four different levels of organisation, depending on how many card payments are processed each year. These levels then correspond to the type of audit an organisation will need to undertake.
Most often, only organisations that process over one million card payments a year will need an annual Report on Compliance (RoC), conducted onsite by a PCI accredited Qualified Security Assessor (QSA). An RoC is a complete report reviewing your organisation’s cardholder data security, which can also help you to fix potential vulnerabilities, as well as provide evidence of your PCI compliance.
These RoCs can also be completed by an Internal Security Assessor (ISA), should your organisation have one.
Although RoCs are often only completed by larger organisations, if your organisation has suffered a data breach in the past, your acquiring bank and payment card provider may insist on such a report, just to make sure everything’s in tip-top shape.
For most other organisations, validation can be achieved through the completion of a self-assessment questionnaire (SAQ), which is then followed up with a quarterly external vulnerability scan by a PCI Approved Scanning Vendor (ASV). These SAQs and vulnerability scans are submitted to your acquiring bank and payment card provider for approval, demonstrating you to be PCI compliant.
In total, there are nine separate SAQs available, each aimed at different card-processing environments. For instance, merchants or service providers who deal exclusively in e-commerce will need a different SAQ to businesses that only use a single chip and pin terminal.
The best way to decide which SAQ is right for you is to check with your acquiring bank and payment card provider. For example, both Visa and Mastercard feature information on their websites regarding their respective PCI DSS policies, and both include subtle policy differences that may apply to your organisation. Make sure you double-check!
Now that we have an understanding of the various methods of auditing, let’s take a look at the four levels of organisation size. Where does your organisation fit in, and what auditing level do you need to be PCI compliant?
When looking at how to be PCI compliant, deciding how much you should budget will depend greatly on your organisation’s size and location.
For example, Level 1 organisations in the UK can expect to spend over £50,000 a year to be PCI compliant. This usually covers complex vulnerability scans and penetration tests, as well as RoCs and auditing. Meanwhile, large organisations in the US might need to pay over $70,000 a year. That said, both of these figures can balloon higher still, especially if any security issues are detected.
On the other end of the scale, small Level 4 organisations might hardly need a PCI budget at all. Certain merchant account providers like PaymentSense charge £4.95 or €4.95 a month for you to be PCI compliant. In the US, services like Intuit will charge between $35-$100 a year. Some providers like Square will even handle your PCI compliance for free.
The key to determining how much it will cost you to be PCI compliant comes down to two factors: identifying your organisation’s level and fixing your compliance gaps as early as possible. However much it will cost to audit and validate your compliance, you don’t want to fall short by failing to meet requirements at too late a stage. This will only cost more in the long run, and the peace of mind you’ll attain from securing your organisation is priceless.
So there we have it, our complete guide on how to be PCI compliant! Remember: this is just the first step in securing your customer’s cardholder data - the first step of many. Ultimately, as the PCI Security Standards Council suggests, PCI compliance is a continuous process. After you’ve become PCI compliant, your next job is to maintain that compliance for years to come.
This may sound daunting, but by understanding that PCI compliance is not only necessary but helpful to your organisation, you can simplify the steps we’ve outlined to create a continuous action plan and always stay on top.
First, focus on identifying compliance gaps. Develop a plan of action. Then, with your plan implemented, make sure you record your proof of validation ready to be reported. It’ll make less work for the next time you review your policies and procedures. Getting used to this kind of thinking will make sure your PCI compliance is consistently maintained and updated. It’ll keep your organisation and your customers safe.
Get monthly insights from our experts straight to your inbox.