Key Points:

• PCI DSS (Payment Card Industry Data Security Standard) compliance is crucial for merchants and service providers handling payment card transactions to safeguard customer payment data and prevent breaches.
• Compliance involves adhering to 12 PCI DSS requirements, covering areas like network security, encryption, vulnerability management, access control, monitoring, and information security policies.
• PCI compliance applies to any entity that stores, processes, or transmits cardholder data. This includes all businesses accepting card payments, except for cash-based businesses. Non-compliance can result in fines, increased transaction fees, and reputational damage.

In a world where cash is no longer king, protecting your customer’s payment data has become imperative.

Whether you’re a merchant or a service provider, you must ensure you’re complying with PCI DSS regulations or you could be facing heavy penalties.

Let’s take a look at what PCI compliance involves and how you can make sure you’re abiding by the 12 PCI DSS requirements.

What is meant by being PCI DSS compliant?

The PCI DSS (Payment Card Industry Data Security Standard) was established in 2006 to ensure payment data is protected when transactions are made, preventing malicious entities from getting their hands on customer information.

All merchants or service providers handling payment cards must be compliant with PCI DSS. Although it’s not a law, the standard is regarded globally as the guideline when it comes to payment card regulations.

To comply with PCI DSS, you’ll need to follow 12 requirements as laid out by the PCI SSC (Payment Card Industry Security Standards Council), which is made up of the five big payment card providers - Mastercard , Visa, American Express , Discover, and JCB .

It’s important to comply with PCI DSS, otherwise you could face fines, higher transaction fees, and a negative impact on your company’s reputation.

What are PCI DSS standards?

Every payment card provider has their own individual requirements, but essentially, there are four levels of PCI standards. The level you fall into will depend on how many card transactions you process each year:

• Level 1: More than 6 million annual payment card transactions
• Level 2: Between 1 million to 6 million annual payment card transactions
• Level 3: Between 20k and 1 million annual payment card transactions
• Level 4: Fewer than 20k annual payment card transactions

Regardless of the level you fall into, you must abide by the 12 PCI DSS requirements to ensure you’re PCI compliant. They are split into six different categories:

1. Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect account data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

3. Maintain a vulnerability management program

5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

4. Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

5. Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

6. Maintain an information security policy

12. Maintain a policy that addresses information security for employees and contractors

Who does PCI compliance typically apply to?

Any merchants or service providers who are using or accepting payments by card must comply with PCI.

The PCI guidelines state: ‘The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.’

You’ll only be exempt if you’re a cash-based business, and don’t take card transactions.

How do you know whether your business is PCI compliant?

Once you’ve understood the level you fall into and the standards you’ll need to comply with, you should undertake a self assessment to see whether your business is abiding with PCI requirements. With a self assessment in place, you’ll be able to see where your weaknesses lie and where you can improve when it comes to PCI DSS compliance.

The PCI Security Standards website has many useful guides to help you better understand PCI compliance and how to perform a self assessment, https://www.pcisecuritystandards.org/merchants/.

You should also establish who in your organisation is responsible for ensuring you’re compliant with PCI DSS. Having an individual or team responsible for managing your compliance means it won’t be overlooked.

Sheree Buller Lim, Head of Product at Metomic, says, “Testing your systems regularly to understand where your compliance might be slipping is key. You’ll want to understand if your anti-virus software is working effectively, and if data is encrypted when it’s in transit to be fully PCI compliant. If you find that you’re not, there could be serious consequences, so it’s something to keep on top of, all year round.”

What happens if you don’t comply with PCI DSS?

You could end up paying fines that range from $5k to $100k per month to the payment card providers. How much you pay will depend on the level you fall into and the circumstances behind the non-compliance. For instance, companies that are in the Level 1 category will likely pay out a lot more than those in the Level 4 category. Fines are also dependant on the severity of breaches -if data was breached and it took a long time to fix the issue, you could end up with a heavier fine.

For example, in 2017, British Airways was fined $229 million for a data breach that affected 500,000 customers.

You’ll also lose the trust of your customers who are expecting you to protect their sensitive data. Reputational damage could hurt you long-term, even after you’ve paid the monetary penalties. If your clients find that you’ve put their data at risk, they’re likely to take their business elsewhere.

How can Metomic help a business become PCI compliant?

There are a few ways Metomic can help businesses become PCI compliant:

• We give you full visibility and control over financial data held in your SaaS apps like Google Drive, Slack, and Jira
• We help you put access controls in place, limiting over-exposure of sensitive information
• We help you identify where sensitive data is stored and who has access to it
• We help reinforce PCI DSS compliance by sending employee notifications to your staff when they share sensitive data within SaaS apps

To see how we’ve helped others protect sensitive data in the financial sector, check out our most recent case study with Zappi.