Understanding PCI Compliance for Businesses

When a customer uses a credit or debit card, a non-verbal agreement occurs that merchants will safeguard the sensitive information stored in that card. And since noncash payments in the U.S. reached 174.2 billion in 2018, there’s a lot of cardholder data making the rounds in merchants' systems.

To help ensure the security of card transactions in the financial industry, the Payment Card Industry Security Standards Council—an independent body created by the major card networks—formed the payment card industry data security standard (PCI DSS) in 2006.

Since then, fintechs have continued to deploy PCI technologies for businesses of all sizes. Companies can tap into secure financial technology to boost PCI compliance with third-party POS systems or mobile-enabled card readers like Square.

While no formal law requires merchant compliance, it is considered mandatory through court precedent and is enforceable through major card networks like Visa, Mastercard, American Express, etc. The major card providers may enact more stringent audits, frequent check-ins, and even hefty penalties.

An updated version of the PCI standard is set to take place in 2025, so it is recommended that companies be proactive in maintaining modern compliance standards.

What Are the 12 PCI DSS Requirements?

Businesses must meet 12 essential requirements to fit the PCI Data Security Standards. Below is a breakdown of that checklist and what these requirements entail.

• Maintain an ongoing firewall to protect cardholder information. Consistently testing network connections and restricting access to untrusted networks will help maintain this fortress.
• Never use the default, vendor-supplied passwords and automatic security settings. Instead, encrypt access and personalize security measures.
• Protect stored cardholder data, including limiting what information is stored and the policies surrounding the disposal of certain data types.
• Encrypt cardholder data when transmitting it across open, public networks.
• Update malware and antivirus software promptly and ensure it is running its necessary functions.
• Create security systems and processes that swiftly take action against vulnerabilities.
• Restrict access to cardholder data to individuals on a need-to-know basis.
• Authenticate access to sensitive data areas by assigning user IDs. Businesses should also ensure a way to authenticate users.
• Restrict physical access to cardholder data by monitoring who has access to data hubs.
• Actively track and monitor those with cardholder access via audit trails, time-stamp tolls, or business logs to eradicate suspicious activity.
• Test systems regularly. This process could involve vulnerability scans, traffic monitoring, or overviews of wireless access points.
• Maintain and update an information security policy readily available to all personnel.

Steps Toward PCI Compliance

A business must complete three exercises to attain PCI compliance. However, it will vary for each card network provider:

• Meet the requirements set out by the Payment Card Industry Security Standards Council.
• Complete an assessment demonstrating the security of a business's systems and practices. For small businesses and startups, self-assessment is an option.
• Perform a full scan of the internal payments processing network. This step typically requires an outside firm because of its technical nature.

Businesses will fall into one of four category levels depending on the nature of their transactions and are required to meet the standards of that level annually. 

Level one requires the most heightened security measures, while level four requires the least. However, all levels must meet the standard 12 requirements. Companies should first understand what level they are at to deploy a compliance strategy properly.

• Level one: businesses that process more than six million e-commerce transactions annually
• Level two: businesses that process one million to six million e-commerce transactions annually
• Level three: businesses that process 20,000 to one million e-commerce transactions annually
• Level four: businesses that process less than 20,000 e-commerce transactions annually, or less than 1,000,000 transactions annually from all sales channels (e.g., e-commerce and retail)

Small businesses can take advantage of several self-assessment questionnaires, depending on the payment setup a company wishes to use. For example, Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties, like Stripe.

Strategies for Becoming and Staying Compliant

When starting a small business or startup, it’s vital to be proactive with security measures for sensitive customer data. The sooner companies identify vulnerabilities, the sooner businesses can reach PCI compliance. Here are some steps to take.

Maintain data hygiene and integrity

• Safeguard systems that house sensitive data with strong passwords and update them with software that boasts strong encryption. Modern cloud-based systems use notifications to keep users aware of necessary technology updates.
• Purge unnecessary data or duplicates. 
• Opt for digital sources of data. Physical copies of receipts are difficult to maintain; an expense system that supports data security is a more reliable alternative. 
• Enlist card readers and payment software that’s already PCI-compliant. Only use card readers and payment software that the PCI Security Standards Council validates.
• Educate employees about the importance of protecting cardholder data.

Read the fine print, and follow it

It's essential to take the self-assessment questionnaire seriously. If data becomes compromised, the penalty may be steeper since businesses' systems are expected to have the proper measures.

Suppose a business owner or technology leader has questions regarding certain aspects of the assessment. In that case, the PCI council recommends speaking with their respective payment processor or seeking help from a third-party agency.

Use all-in-one systems for blanketed security

Some business owners will cobble together different types of products and services from various companies to handle financial data. However, an up-to-date, all-in-one technology stack will keep sensitive information moving through typical procedures.

Because these systems are connected, business owners only need to update one technology solution rather than several at different intervals.

The bottom line

In March 2022, the PCI council announced it would update its regulatory standard from PCI DSS 3.2.1 to 4.0. The council expects organizations to meet this new level of compliance by March 2025—so there is still a reasonable amount of time to transition, or start, toward this standard.

Updates like passwords being a minimum of 12 characters rather than seven are an example of upgraded security. Everything from network segmentation, active monitoring, incident reporting, and encryption falls under the new document.

If a company accepts card payments, there’s an expectation to maintain compliance. This standardization will protect businesses and customers from data breaches and the legal fallouts and costs associated with compromised data.