When a customer uses a credit or debit card, a non-verbal agreement occurs that merchants will safeguard the sensitive information stored in that card. And since noncash payments in the U.S. reached 174.2 billion in 2018, there’s a lot of cardholder data making the rounds in merchants' systems.
To help ensure the security of card transactions in the financial industry, the Payment Card Industry Security Standards Council—an independent body created by the major card networks—formed the payment card industry data security standard (PCI DSS) in 2006.
Since then, fintechs have continued to deploy PCI technologies for businesses of all sizes. Companies can tap into secure financial technology to boost PCI compliance with third-party POS systems or mobile-enabled card readers like Square.
While no formal law requires merchant compliance, it is considered mandatory through court precedent and is enforceable through major card networks like Visa, Mastercard, American Express, etc. The major card providers may enact more stringent audits, frequent check-ins, and even hefty penalties.
An updated version of the PCI standard is set to take place in 2025, so it is recommended that companies be proactive in maintaining modern compliance standards.
Businesses must meet 12 essential requirements to fit the PCI Data Security Standards. Below is a breakdown of that checklist and what these requirements entail.
A business must complete three exercises to attain PCI compliance. However, it will vary for each card network provider:
Businesses will fall into one of four category levels depending on the nature of their transactions and are required to meet the standards of that level annually.
Level one requires the most heightened security measures, while level four requires the least. However, all levels must meet the standard 12 requirements. Companies should first understand what level they are at to deploy a compliance strategy properly.
Small businesses can take advantage of several self-assessment questionnaires, depending on the payment setup a company wishes to use. For example, Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties, like Stripe.
When starting a small business or startup, it’s vital to be proactive with security measures for sensitive customer data. The sooner companies identify vulnerabilities, the sooner businesses can reach PCI compliance. Here are some steps to take.
It's essential to take the self-assessment questionnaire seriously. If data becomes compromised, the penalty may be steeper since businesses' systems are expected to have the proper measures.
Suppose a business owner or technology leader has questions regarding certain aspects of the assessment. In that case, the PCI council recommends speaking with their respective payment processor or seeking help from a third-party agency.
Some business owners will cobble together different types of products and services from various companies to handle financial data. However, an up-to-date, all-in-one technology stack will keep sensitive information moving through typical procedures.
Because these systems are connected, business owners only need to update one technology solution rather than several at different intervals.
In March 2022, the PCI council announced it would update its regulatory standard from PCI DSS 3.2.1 to 4.0. The council expects organizations to meet this new level of compliance by March 2025—so there is still a reasonable amount of time to transition, or start, toward this standard.
Updates like passwords being a minimum of 12 characters rather than seven are an example of upgraded security. Everything from network segmentation, active monitoring, incident reporting, and encryption falls under the new document.
If a company accepts card payments, there’s an expectation to maintain compliance. This standardization will protect businesses and customers from data breaches and the legal fallouts and costs associated with compromised data.