Screenshot 417

What is PCI compliance? A must-read guide for businesses.

Tillie Demetriou
4 Jul 2024

6,845,908,997. That's the number of known business records breached in the last year, according to a recent report. Crazy, right?

In today's digital world, keeping customer data safe is more important than ever. If you run a retail or hospitality business that accepts credit card payments, you categorically need to know about (and be taking the steps towards) PCI compliance.

It's not just some techie jargon. It's an absolute must for protecting your customers and your business. 

So, let's break it down. We'll make it simple, easy to understand, and even a bit interesting.

What is payment card industry compliance?

Payment Card Industry (PCI) compliance are rules set by credit card companies to make sure credit card transactions are secure. 

Basically, PCI compliance means following specific technical and operational standards to protect credit card data from cardholders during processing transactions. It's all about keeping that card info safe from hackers and thieves. 

Now, there are three main groups involved in making this happen:

Credit card networks

First, we have the credit card networks—think Visa, MasterCard, American Express, Discover, and JCB. These big players set the rules for PCI compliance and want to ensure that every transaction is secure. (They don't like surprises, especially expensive ones.)

The PCI Security Standards Council

Next, there's the PCI Security Standards Council (PCI SSC). This global forum brings together payments industry stakeholders to develop and drive the adoption of data security standards. They write the playbook that everyone has to follow to keep credit card data safe.

Merchant account providers or payment processors

Finally, we have the merchant account providers or payment processors. These are the people who handle the transactions between your business and the card networks. They make sure everything runs smoothly and stays secure. (They're almost like the bouncers at the door of your online store, keeping out the riffraff.)

TIP

Check out our blog on payment processor vs payment gateway to grasp the differences between these crucial roles in secure payment processing.

Icon for TIP callout

Sign up to our newsletter

By submitting your details you agree to our terms and conditions & privacy policy.

The 12 PCI compliance requirements

Back in 2006, when businesses were getting serious about using the internet, the Payment Card Industry Data Security Standard (PCI DSS) was born. It was a response to companies shifting their payment systems online, connecting physical and virtual terminals wirelessly.

Fast forward to today, the version of PCI DSS, known as version 4.0, released in 2022, lays out 12 key requirements. These are designed to ensure businesses keep cardholder data safe and secure. Here's a rundown of what they entail:

1. The use and maintenance of firewalls

Think of a firewall as a sturdy wall around your computer network, keeping out unwanted visitors like hackers and malware. It decides who gets in and who doesn't. You can get firewalls from cybersecurity companies or as part of security software.

2. PCI- DSS password requirements

When it comes to passwords, you're going to want to think strong and unique. PCI DSS requires passwords that are tough for others to guess. That means not using those simple, easy-to-crack ones like "123456" or "password." Change them regularly, use capital letters and unique characters, and don't share them with anyone who doesn't need to know. These rules help keep your accounts safe from unauthorized access and protect sensitive information from falling into the wrong hands.

3. Protect stored cardholder data

Now, this one's a biggie. If you're a business that stores credit card information, protecting it is super important. You've got to make sure that data is safe and private at all times. To do this, use encryption (we'll get onto this a little more in our next requirement) or other security measures to lock it down tight. Only let authorized personnel access this sensitive info, and keep a close eye on who's got access.

4. Encrypt your customers' card data 

When we talk about encryption, we're basically talking about scrambling up information into a code that only authorized people can unscramble. This process ensures that even if someone intercepts the data as it travels over the internet, they can't read it without that special key. Encrypting your customers' card data adds an extra layer of security, keeping their information safe from prying eyes.

5. Implement anti-virus programs 

These programs constantly scan your devices for any signs of malware (those sneaky viruses that can wreak havoc on your system) and detect and remove viruses, spyware, and other malicious software that could compromise your data security.

Not sure where to get this? Some of the most popular antivirus programs are Norton AntiVirus, McAfee, Avast, and Bitdefender. Start comparing features and see which works best for you.

6. Update PCI compliance software and security systems

It's all well and good getting safety software, but just like any other tech device, you have to keep it updated. Just like how you update your smartphone to fix bugs, add new cool features, and make it more secure, you need to do the same with your PCI compliance software and security systems. These updates help you stay safe from the latest online threats and keep your customers' info protected.

7. Restrict access to cardholder data

Not every Tom, Dick, and Harry should have access to sensitive credit card info. Use strong passwords and strict controls to limit who can see it. This stops unauthorized access and keeps customer data safe from prying eyes. By restricting access, you're ensuring that sensitive information remains confidential and secure.

8. Assign unique IDs for access

Give everyone their own special ID for getting into the credit card info. This way, you keep track of who's doing what, which makes things organized and safe. Only the right people get in, keeping everything under wraps and secure.

9. Restrict physical access 

Lock up places where credit card info is kept like it's Fort Knox. Use strong locks and access controls on doors and cabinets. Only give keys or codes to trusted employees who really need them. Keep a log of who enters these areas and when, so you always know who has access.

10. Monitor access logs

Keep tabs on who's snooping around your credit card info. Check access logs regularly to catch any funny business early. Use security software that alerts you to suspicious activity, so you can investigate right away and fix any issues.

11. Regular test your security processes and systems

Give your security setup a workout regularly. Test for weak spots and fix 'em up fast. Use software tools that scan for vulnerabilities and simulate attacks. Fix any problems you find quickly and update your security measures as needed to stay one step ahead of cyber threats.

12. Document policies to comply with PCI

Create clear policies that outline how your business will protect cardholder data. Include procedures for data encryption, strong access control measures, and employee training. Keep these policies updated and make sure all employees understand and follow them. Regularly review and revise your policies to meet the latest PCI standards and address any new POS security concerns.

Payment processing made simple for your business

Take payments with our integrated payment processing solution with no hidden transaction fees - anytime, anywhere! All Epos Now Payments terminals are PCI compliant through our innovative encryption technology. 

How to become PCI compliant?

You now know the 12 requirements - yay! Next, here are some steps you're going to need to take so that you're actually following these requirements to a T.

Understand all the PCI levels 

PCI compliance levels are like different levels of responsibility based on how many credit card transactions your business handles each year. Here's a quick breakdown:

  • Level 1: Over 6 million transactions per year.
  • Level 2: 1 to 6 million transactions per year.
  • Level 3: 20,000 to 1 million transactions per year.
  • Level 4: Less than 20,000 transactions per year.

Knowing your level helps you understand which specific security rules apply to your business size.

Fill out the PCI self assessment

The PCI Self Assessment Questionnaire (SAQ) is a form that asks you questions about how you handle credit card data. It helps you check if you're following the right security rules. There are different SAQs for different types of businesses, so find the one that matches your operation.

Address any security concerts

After filling out the SAQ, you might find areas where your security needs improvement. Maybe you need to set stronger passwords because your birthday isn't quite cutting it. Or perhaps you need to update your software to fix any bugs that hackers could exploit. Think of it like tightening the bolts on a fence to keep out unwanted visitors, you're making sure your defenses are strong and up-to-date.

Complete the PCI attestation of compliance (AOC)

Now it's time to dot your i's and cross your t's! The PCI AOC is like your business's report card (it essentially shows that you've aced the security tests and are serious about protecting cardholder data). It's not just paperwork. It's your badge of honor that tells everyone, "Hey, we've got this security thing down pat!" So, fill out those forms, tick those boxes, and proudly display your commitment to keeping data safe from the digital bad guys.

Submit all required documentation

Once you've filled out your SAQ and nailed your AOC, it's time to hit send! Get those documents over to your bank or payment processor.

Keep up to date with PCI compliance requirements

Congratulations! You've nailed down PCI compliance, but the journey doesn't end here. Stay in the loop with PCI compliance updates. Regularly check for new security standards, review any changes, and tweak your defenses as needed. By staying current, you make sure your business remains a super sage against cyber threats and continues to earn trust with every secure transaction.

How much is the cost of PCI compliance?

This varies depending on your business size and systems complexity. But the IBM shared some very interesting stats that we think you should know:

  • In 2023, the average global cost of a cardholder data breach jumped to USD 4.45 million, up 15% in just three years.
  • After experiencing a breach, 51% of organizations are gearing up to spend more on security. They're focusing on things like improving how they respond to incidents, training their employees better, and getting better tools to detect threats.
  • Companies that really lean into using AI and automation for security save about USD 1.76 million on average compared to those that don't. It's clear that investing in strong security measures not only helps with PCI compliance but also saves a lot in potential breach costs.

Benefits of being PCI compliant 

Let's take a trip back to 2013. Remember when "Thrift Shop" by Macklemore was everywhere, FroYo shops were popping up on every corner, and selfies were the new craze?

But alongside all that fun, something serious was happening: Target, a popular supermarket, got hit hard. Hackers stole 40 million credit and debit card records, and Target had to pay $18.5 million to settle the fallout. This event showed how crucial it is for businesses to protect customer data.

So, what are the benefits of PCI compliance? Well, for starters, it helps businesses dodge data breaches and the hefty bills that come with them. Following PCI standards beefs up your security game, making it tougher for hackers to nab sensitive info.

That means your customers can rest easy knowing their data is locked down tight.And with over 9 in 10 customers worrying about the security of their personal info, being PCI compliant tackles these worries head-on, showing your commitment to keeping their info safe.

Tips to help you adhere to PCI DSS compliance easily

Here's some easy-to-carry-out tips for you to help you stay compliant with PCI DSS:

Keep your data storage practices rock solid

Think of your sensitive cardholder info, like your prized possessions. You want to keep it locked up tight! Encrypt it when it's sitting still and when it's on the move. Only let trusted team members get near it, and keep a close eye on who's trying to catch a peek. Regularly update your storage policies to stay ahead of any sneaky cyber threats. By treating data security seriously, you not only tick off PCI requirements but also earn major trust points with your customers.

Always check you're up to date with all the paperwork

Papers, papers, papers. Keeping them in order is key for PCI compliance. Stay on top of deadlines for assessments and compliance forms like the AOC. Review and tweak your policies to match any new PCI rules or changes in how you do business. This proactive approach not only makes compliance easier but also shows everyone you're serious about keeping things secure.

Use systems that follow PCI compliance

When it comes to systems, go for ones that play by the PCI rules. At Epos Now, we're all about security. Our POS software is designed with robust security measures in mind. Here's how we ensure compliance:

  • POS Systems: Our point-of-sale systems adhere to PCI DSS standards, ensuring secure processing of transactions and protection of cardholder data.
  • Payment processing: We provide PCI-compliant payment processing solutions that encrypt card data to prevent unauthorized access.
  • Card readers: Our card reader and card machines support secure transactions and comply with PCI standards for data encryption and protection.
  • Regular updates: Epos Now maintains regular updates and security patches across all our systems to stay ahead of potential threats and ensure ongoing PCI compliance.

Choosing Epos Now means choosing security-focused systems that meet the stringent requirements of PCI compliance, providing peace of mind for your business and your customers' data security.

FAQ about PCI-DSS compliance

How do I know if I am PCI compliant?

Go through the PCI Self-Assessment Questionnaire (SAQ) for your business type. If you meet all the requirements, you're good to go!

Is PCI compliance required by law?

Yep, especially if you handle credit card info. It's not just a suggestion, but there are some pretty hefty fines (and potentially jail time) if you don't follow it.

Who falls under PCI compliance?

Any business that processes, stores, or transmits credit card data needs to follow PCI rules. From big retailers to online shops, everyone's in the game.

How much is the PCI compliance fee? 

Fees vary based on your business size and how you process payments. Expect costs for assessments, security tools, and possibly fines if you're not compliant.

What happens if you are not PCI complaint? 

Uh-oh. You could face fines from credit card companies, increased risk of data breaches, and loss of trust from customers. Stay compliant—it's worth it!