Payments

What’s PCI and what does it mean to my business?

By Heine Aaen Hansen
On 07 February 2018

I’ll make a guess:

You’ve heard about PCI.

At least, I think there’s a strong probability you have, if you have a business that accepts card payments.

Since, well, you have to comply with the security standards of PCI if you accept as much as one card payment.

But if you’re starting a business, or if you’re not quite sure what this PCI really is, this article is for you.

I’ll take you through what PCI is, why it exists, how you deal with it, and what it really means to your business.

Let’s start with the basics:

PCI DSS is short for Payment Card Industry Data Security Standard and is a security standard that applies to the entire card industry. When people mention PCI, it’s most often the PCI DSS they mean.

The purpose of PCI DSS is to increase security around card payments to consumers globally by ensuring common standards for how companies process card data.

The security standard was developed by the card schemes Visa, Mastercard, American Express, JCB, and Discover.

The standard is maintained by the Payment Card Industry Security Standards Council (PCI SSC) which was founded in 2006. The PCI SSC is responsible for evolving the PCI DSS.

So far, so good.

Now, to whom does PCI DSS apply?

This one is easy, because:

PCI DSS applies to all companies that store, process, transmit or otherwise handle cardholder data.

No matter if you only process one card transaction, you have to comply with the PCI DSS.

And what does compliance with PCI DSS entail?

Well, for a high-level overview, there are 6 overall goals and 12 technical and operational requirements of PCI DSS.

These are: 

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data  

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

 Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

 Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

 Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

 Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

If you want to get more technical, you can visit the link below and find the +200 security points that complying with PCI DSS entails.

Click here, and choose the document titled ‘PCI DSS’.

So, these 12 requirements apply to ALL businesses that somehow deal with cardholder data – and all businesses have to comply with the PCI DSS.

PCI compliance

To document that your business complies with the PCI DSS, you have to report your compliance to your acquirer once every year. How you report your compliance differs depending on how many transactions you process per year.

Let me try to give you a quick (and a bit simplified) overview.

If you process more than 6 million transactions per year, you have to do an onsite audit once a year by a QSA to report your compliance with the PCI DSS. A QSA is a Qualified Security Assessor, which is a company that’s certified to validate companies’ compliance with PCI DSS.

If you process 1 to 6 million transactions per year, you have to fill in a so-called Self-Assessment Questionnaire (SAQ) once a year to report your compliance. Or you might have to do an onsite audit with a QSA.

If you process 20,000 to 1 million e-commerce transactions, you report compliance through the SAQ once a year. Naturally, this is the most common way that companies report their compliance, and we’ll get back to the SAQ in a minute.

If you process 0 to 1 million retail transactions per year, or 0-20,000 e-commerce transactions per year, it’s up to your acquirer to decide how you report your compliance.

All businesses, regardless of how many transactions you process per year, have to undertake quarterly network scans by an ASV (an Approved Scanning Vendor, which is a company that offers security scans of other companies). We’ll get back to this one in a minute, too.

Okay, there’s no way around it. You have to report your compliance, so your acquirer (and the card schemes) can see that you’re compliant with PCI DSS.

So how do you go about this?

How to report your compliance

We know that PCI can be an intricate affair, so we’ve tried to make it easy for you.

When you use Bambora as your acquirer, you get access to an online tool that helps you manage and report your PCI compliance.

And the best part?

It’s free.

Yeah, since all this PCI business wasn’t your idea, we’ve decided to give you our PCI tool free of charge.

And those quarterly networks scans by ASV’s that are mandatory for all businesses?

We’re giving them away for free, too. They’re included in the tool.

So, what does this PCI tool do?

Well, basically, it makes it easy for you to manage everything related to PCI.

Key features include:

  • PCI compliance manager (which guides you through the SAQ step-by-step)

  • Network vulnerability scans (ASV scans)

  • Training and education programs

  • Compliance monitoring

  • Security testing

The tool is user-friendly and designed to help businesses maintain their PCI compliance – and make the process easy.

With the help of our PCI tool, handling your compliance should be a walk in the park.

Now, let’s take a step back and look at what’s at risk if you don’t comply with the PCI DSS.

I’m not going to beat around the bush:

If your business is not compliant with the PCI DSS, you’re running a huge risk that might undermine the foundations of your entire business.

The PCI DSS was put in place to protect consumers and businesses globally, and if there’s a security breach, you risk being heavily fined.

The size of the fine depends on the type of the security breach, but to be sure to avoid any fines, make sure your business is compliant.

I can only urge you: Do not take the security of your business lightly.

More information?

I hope this article helped you get a better understanding of the PCI DSS regulations and how you deal with them.

You can find much more information on the official website of the PCI Security Standards Council right here: https://www.pcisecuritystandards.org/

If you have any questions at all regarding PCI DSS or our free compliance tool, get in touch with us here and we’ll be more than happy to help.

Heine Aaen Hansen

Marketing and content at Bambora. When not writing, I'm reading. Book aficionado, word nerd, and helpless dad.

Cookies

Bambora use cookies to give you the best possible experience when visiting our site.

Cookies are small text files that are stored on the visitors computer and are used to track what the visitor is doing on the website.  

There are two main types of cookies;

  1. A persistent cookie, which is stored on the visitors computer during a selected time.
  2. A session cookie, which is stored temporarily in the computer memory when the visitor is browsing the site. The session cookie disappears when you close your browser.

Bambora use cookies to:

  1. Improve the user experience of the site, by for example by adapting the site to reflect the visitors requirements, choices and interests.
  2. Provide information for web site statistics regarding the use of the site
  3. Follow advertisement in media to adapt our services to help you receive more relevant offers.

Bambora also use cookies from third-party providers. These are used mainly to analyse user behaviour with the purpose to improving user experience, and to offer more relevant advertising.

You can choose if you want to accept cookies.
If you do not want to accept the use of cookies, you can adjust the system settings in your browser. Certain functionality can only be used if your browser allows cookies.

We are open for business!

Welcome to the world of payment solutions. Choose your country and start accepting payments from customers all over the world.