A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

November 27, 2022 • Issue 22:11:02

What is PCI compliance?

By Gary W. Glover

PCI DSS stands for the Payment Card Industry Data Security Standard. The PCI DSS is a set of guidelines, or controls, that businesses should follow to keep their data secure and protect themselves against a data breach. In order to work with major credit card companies, you must be PCI compliant.

PCI compliance controls cover firewalls, password security, ecommerce security, protecting stored cardholder data, malware protection, antivirus software and more. The purpose of the PCI DSS is to help businesses protect against data theft and the repercussions of data theft such as fines, damaged reputation and possible closure of a business.

Ecommerce is a particularly vulnerable place for threat actors to target. In recent primary research, SecurityMetrics found that 88.89 percent of shopping cart inspect reviews identified malicious, suspicious, and/or concerning issues on researched ecommerce sites. One of the main updates in the new PCI 4.0 standard is the addition of ecommerce security solutions.

How do you know if you need to be PCI compliant? 

The short answer is if your business accepts or processes payment cards, you need to be PCI compliant. Regardless of the size of your business or how many transactions you do, if your organization collects, transmits, maintains or transfers card data, you must comply with the PCI standard.

Per the following guidelines, the number of transactions you do each year will determine what your PCI compliance validation requirements are:

  • Level 1: Merchants that process over 6 million card transactions per year
  • Level 2: Merchants that process between 1 million and 6 million card transactions per year
  • Level 3: Merchants that process between 20,000 and 1 million ecommerce card transactions
  • Level 4: Merchants that process up to 1 million regular card transactions per year

The more transactions you process, the stricter the PCI controls will be. So a Level 1 business will have stricter guidelines than a level 4 business.

What happens if you are not PCI compliant?

The penalty for not being compliant ranges from fines (some of which can reach in the millions of dollars), reputational damage, decreased sales, no longer being able to accept major credit cards and, in some cases, the loss of the business.

How do you become PCI compliant? 

PCI compliance can take time. You will need to get an assessment, implement controls, gather documentation and continue to update your security. While there are concrete steps to becoming PCI compliant, it’s not a one-time job. Being PCI compliant requires ongoing effort, and so it is more of a mindset of security rather than a checklist.

PCI compliance is a large and complex task that will most likely require assistance. In addition to your own efforts to become compliant, you can always reach out to experts for help as you go through this process.

What are the benefits of PCI compliance?

Ensuring that your business is secure has many benefits. Of course it helps you avoid fines, lawsuits and loss of customer trust. But it also helps you have peace of mind. It is normal for people to protect the things that are most valuable to them whether that is family, friends, or perhaps a nice car or a treasured heirloom.

When thinking about the amount of time, energy, money and people it takes to build and maintain a company, it makes sense to do what you can to protect that investment from possible damage or even destruction.

The PCI standard can seem overwhelming or even annoying, but it was designed to help business owners and stakeholders protect their investments in their respective organizations. Becoming PCI compliant will help you maintain security and gain peace of mind about your organization. end of article

Gary Glover, vice president assessments at SecurityMetrics, began his career with a master’s degree in mechanical engineering. In that field, he worked as an aerospace engineer on classified government projects, helped on the design of the International Space Station, and worked with NASA and Russian engineers on a Mars rover design. Later, when Glover was working in software development, his neighbor and CEO of SecurityMetrics Brad Caldwell invited him to work in the cybersecurity sector where he has been ever since. Contact him at gglover@securitymetrics.com or 801-705-5643, ext. 5643. For information on SecurityMetrics, visit www.securitymetrics.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next

Current Issue

View Archives
View Flipbook

Table of Contents

Company Profile
New Products
A Thing