Data security is essential for any modern business. If you take digital payments, that data must be hosted with a PCI-compliant provider that follows the security protocols established in the Payment Card Industry Data Security Standard (PCI DSS).
These standards are maintained by the PCI Security Standards Council, a collaboration between the five largest credit card brands—American Express, Visa, MasterCard, Discover, and Japanese Credit Bureau (JCB). They got together in 2006 to create a foundation on which all credit card companies base their PCI standards.
So what exactly is PCI compliance and why does it matter for your business?
How PCI Compliance Works
PCI compliance ensures all payments are secure and educates businesses of all sizes on how to strengthen the safety of their own transactions.
The system consists of 12 requirements that companies must fulfill in order to meet six basic goals:
- Create a secure network and maintain it
- Protect cardholder data
- Establish a vulnerability management program
- Implement strong control and access measures
- Regularly oversee and evaluate network strength
- Maintain an information security policy
In addition, there are four levels of compliance, which are based on the number of transactions your company processes over a 12-month period.
- Level 4: This is the lowest level, and applies if you have 20,000 or fewer annual transactions. Regular website or network scans are required by an approved scanning vendor, and your team has to complete a self assessment questionnaire and attestation of compliance. The fee is relatively low—around $60 a month.
- Level 3: If you have between 20,000 and 1 million annual transactions, your costs will go up to as much as $1,200 annually.
- Level 2: When you reach between 1-6 million annual transactions, your cost gets into the range of $10,000-$50,000 a year, depending on the size of your network and the number of IP addresses.
- Level 1: This is the highest level and will apply when you are processing 6 million or more annual transactions, storing your own data, writing your own code, or running your own servers. The price tag will likely be above $50,000 and you are also required to submit to an annual report of compliance by a qualified security assessor.
PCI Compliance in the World Today
Though knowledge of PCI compliance standards is becoming more pervasive throughout the business community, there is still much work to do.
First, the good news: Between 2011 and 2016, there was a major uptick in the number of companies at full PCI compliance. Sixty-seven percent of these companies saw compliance as an ongoing company initiative with a set structure and ongoing goals, not just a one-off fix. And 70 percent were rolling it out in a phased approach.
But the rosy picture ends there. Stats from 2017 pointed to a decline, with just 52.5 percent of businesses fully compliant (down from 55.4 percent the previous year). And the U.S. lagged behind the rest of the world, with a mere 39.7 percent of companies fully compliant (Europe had 46.4 percent and Asia Pacific an impressive 77.8 percent).
Also of concern is the fact that a full third of businesses still see PCI compliance as a once-a-year housekeeping task, and 18 percent try to tackle it without establishing a formal compliance program or internal structure of any kind.
Why It Matters to You
There are many compelling reasons for your company to be PCI compliant.
- Trust. Your potential customers want to know one thing before they click “buy” and entrust their credit or debit card to you: that your site is secure. In an era marked by data breaches and identity theft, PCI compliance is an essential foundation for this relationship and assures your audience that their data is in good hands.
- Cost. Breaches not only damage reputations, but they also cost real money. Between lost sales while you fix the problem, an exodus of customers who no longer have faith in your security, and various fees and penalties, a breach can be a real blow to your business. These expenses can soar to levels at or above $10,000 a month, depending on the size of your company and scope of the violation.
Where Do I Start with PCI Compliance?
The road to PCI compliance can be long and winding, but here are some basic tenets to get you started:
- Embrace the PCI three-step process. Assess (look at your processes and see where you’re vulnerable), remediate (fix any issues), and report (submit the required documentation where needed).
- Move cardholder data storage off-site. If you don’t need it, don’t keep it around. Tokenization is a powerful technology that ensures sensitive data never lives on your servers.
Poynt’s comprehensive platform provides integrated payment processing that saves time, eliminates redundancy, and ensures PCI compliance.