PCI Compliance: What Is It and Why Should You Care?

View of a woman wearing a teal shirt as she holds a credit card while entering payment information into a computer.

No matter how many credit card payments your business accepts, even if it’s only a handful each month, it's critical that you protect customers’ sensitive data.

Credit card fraud is a global problem for companies both big and small. It resulted in $24.26 billion in losses in 2018 alone. That’s projected to increase by $10 billion over the next three years as scammers invent new ways to defraud businesses. And the U.S. is ground zero. Of the payment fraud committed last year, 38.6% was perpetrated on Americans.

The last thing your business needs is to fall victim to payment fraud or suffer a reputation-bruising data breach. That’s where the Payment Card Industry Data Security Standard (PCI DSS) comes in.

Created by a consortium of credit card companies including American Express, Discover, JCB International, MasterCard, and Visa, PCI DSS is a set of guidelines aimed at protecting businesses and their customers from payment fraud. The PCI Security Standards Council is led by an executive committee composed of representatives from each of the founding companies and strategic members.

What Businesses Need to Know About Payment Standards

The PCI DSS was created in 2006, but it’s relevant today more than ever, particularly as the use of digital payments explodes. The guidelines help to prevent consumer data, such as credit card account information and social security numbers, from falling into the hands of hackers or other cybercriminals.

All businesses that accept, process, store and transmit credit card information are required to comply with the standards or face fines. The rules apply to everyone and cover six areas:

  • Rule 1: The card processing network has to be secure. That means the business owner has to install and maintain a firewall to protect cardholder data from hackers. Businesses are also prohibited from using passwords supplied by vendors, which can be easily cracked.
  • Rule 2: The credit card data of customers has to be protected at all times. Fighting payment fraud is ongoing, requiring small businesses to remain vigilant. In order to be in compliance, the business has to show how it is protecting stored cardholder data. It also has to encrypt any cardholder data being transmitted across open and public networks.
  • Rule 3: Network and computer systems have to be protected from malware and other security vulnerabilities. A common entry point for hackers are networks that have security holes because of out-of-date software. To prevent hackers from getting in, companies are required to use anti-virus software programs and apply updates and patches as needed. It’s also incumbent on the small business to develop and maintain systems and apps that are secure.
  • Rule 4: Employee access to cardholder data has to be controlled. A lot of payment fraud happens internally, whether it's a result of employee carelessness or even theft. To limit employees from having ready access to customer credit card numbers, businesses have to restrict access to cardholder data. They also have to track each individual that does have access.
  • Rule 5: Monitor and test networks on a regular basis. Tracking and monitoring is a key part of PCI DSS. The cost of compliance rises as businesses engage in regular tests of their security systems and processes. But it's necessary to ensure the network is secure.
  • Rule 6: Have a security policy on the books and maintain it. Protecting cardholder data from hackers can’t be a "set it and forget it" situation. Cyber-criminals are constantly evolving, so security policies need to evolve with new threats. Under PCI DSS, companies have to have policies that address IT security for both employees and contractors. It has to be updated on a regular basis in order to stay in compliance with the standards.

However, while all businesses that accept credit card payments must comply with the rules, there are levels of compliance depending on how many credit card transactions your business processes. The fewer credit card transactions, the fewer requirements to prove you are meeting the standards.

Take Visa for one example. Merchants who process less than 20,000 Visa eCommerce transactions and less than 1 million Visa transactions per year would fall under Level 4 compliance, which is the least stringent. They are required to complete an annual self-assessment questionnaire and conduct a network scan each quarter. Merchants processing more than 6 million Visa transactions annually face the strictest compliance requirements, falling under Level 1. Those businesses are required to file an annual report on compliance and conduct a quarterly network scan.

Running afoul of PCI DDS will cost your business, but it won't get you in legal trouble in most states. That said, there are a few states that have regulations on the books that require companies to meet components of PCI DSS.

Take Minnesota’s Plastic Card Security Act as one example. It places the burden on the business accepting payment if there’s a data breach and sensitive data that’s prohibited from being stored under PCI DSS is accessed. That means the business accepting credit card payments, not the card issuer, has to pay the expenses associated with blocking payment cards and issuing new ones.

Nevada’s encryption law requires compliance with PCI DSS for any business that accepts payment cards. And Massachusetts’ new law puts limits on the data companies can collect, as well as requiring that security and data encryption policies be kept in writing.

Regardless of the state your business is operating in, there are fines for not meeting the requirements of PCI DSS. They vary based on the level of non-compliance, but in general, fines can range from $5,000 to $100,000 a month until the compliance issues are corrected. If the problems aren't fixed, the business might lose the ability to accept card payments altogether.

Compliance and Validation Help At the Ready

With small businesses facing the prospect of a hefty fine for running afoul of PCI DSS, it's no wonder so many business owners are losing sleep over it. One misstep and your customers’ credit card information may not only fall into the hands of hackers, but you could also risk damaging your relationship with your payment provider. The good news is that the standards have ushered in an industry of support to ensure compliance.

Through partnering with trusted advisors, small businesses can ensure they are in compliance and get advice on how to create impenetrable networks. Instead of worrying about whether or not a hacker will infiltrate the firewall, they get peace of mind knowing they are meeting all of the standards set forth in the PCI DSS directives.

Maintaining compliance through secure systems does require an upfront investment on the part of a business owner. But doing so can be significantly less costly than falling victim to a hack or data breach that shakes customers’ confidence, or worse, sends them running to a more secure competitor.

The views expressed by the authors are not necessarily those of Fifth Third Bank, National Association and are solely the opinions of the authors. This article is for informational purposes only. It does not constitute the rendering of legal, accounting, or other professional services by Fifth Third Bank, National Association or any of their subsidiaries or affiliates, and are provided without any warranty whatsoever. Deposit and credit products provided by Fifth Third Bank, National Association. Member FDIC.