5 things you need to know about PCI DSS
If your company transmits or processes card payments, it is necessary for you to comply with PCI DSS – Payment Card Industry Data Security Standard regulations. These compliance rules have actually existed around 2006, but there is still a standard of complexity involved with them which gives rise to various FAQs. The following blog addresses all the empirical and subjective doubts that you as a payment service provider or user would have about PCI DSS, from the perspective of a payment processing business owner.
What is PCI DSS Compliance?
PCI DSS is essentially a set of security standards that applies universally to any business or service provider that processes card payments. It was an initiative by major credit card companies to protect sensitive customer information. Payment Card Industry or PCI was created with this particular objective in mind, while DSS is a protocol that every merchant is supposed to follow in order to protect the said data. There are both technical as well as operational requirements that must be met to comply with these rules and it is not an optional exercise. Not complying with PCI DSS regulations can lead to heavy penalties. for activities like card replacements or your company can be called for regular audits by card providers. Furthermore, it generally hampers a business’ reputation and may lead to a loss in trust that its customers would have in the company. PCI DSS is thus, a prescription rather than a suggestion and a business which is a payment service provider, must commit to it.
- PCI DSS is a status and not an event
The compliance is not a certificate or a task that is once done and dusted. It is essential for a business to maintain the standard of its service and adhere to these rules to validate the compliance annually. The official validation also assesses your performance throughout the year which essentially, does not allow you to ease up at any point of time. Furthermore, the compliance must be in line with every one of the PCI DSS controls. There cannot be a compensatory control or an exemption based on a case-to-case basis of low risk in a specific area. The PCI standards essentially do not allow for a negotiation.
- Finding a qualified QSA
It is important for you to find a QSA – Qualified Security Assessor to audit the PCI DSS compliance practices. It is advisable to go through the PCI DSS (Security Standards Council) website and pick an approved assessor, scanner or forensic investigator. A QSA assists you in completing the process required for the compliance which would include the performance of a self-assessment questionnaire (SAQ) and completion of an attestation of compliance (AOC) among various other things.
- Third Party payment processors must adhere to the compliance as well
It is essential for you as a business owner to ensure that any payment service provider or payment processor that you have a contractual relationship with, has PCI DSS compliance. This shouldn’t be a matter of claim on the party’s part but a legal requirement. There must be definite proof that the service providers are adhering to the required PCI standards.
- It is not a specific law and is ever-evolving in nature
PCI DSS is not necessarily enforced as a federal law in most jurisdictions. It rather is a standard that is established as a part of contractual obligations by individual payment systems, when they enter into agreements with payment card processing service providers.
The positive aspect of the PCI standards is the fact that they change or evolve over time, at a reasonably decent pace. It usually does not warrant a business owner to worry about a sudden dramatic shift but as has been stated before, it is highly advisable to have regular compliance as a part of your processes.
- Special regulations depending on the size of your business usability of data stored
It is very important to note that even after being PCI DSS compliant, a payment processing company or organisation can only store data for which there is a need. In spite of appropriate defences, masking PAN numbers or removing irrelevant card data for minimising errors, is a common practice and a requirement in many places.
Merchants also have different PCI requirements depending on their levels.
- Level 1 includes merchants that process over 6 million transactions annually and are required to go under a network scan by Approved Scanning Vendor and an Annual Report by Qualified Security Assessor. There are further requirements of an internal test and penetration tests as well.
- Level 2 merchants process a million to six million transactions in a year. They have similar requirements as level 1 merchants along with having an annual self-assessment quiz.
- Level 3 merchants process 20 thousand to a million transactions.
- Level 4 merchants process less than 20 thousand transactions. Both of them are expected to conduct an annual SAQ, a quarterly network scan and also have certain additional requirements similar to level 2 merchants.
There are additional requirements for service providers to incorporate changes like multi-level authentication and Designated Entities Supplemental Validation (DESV) criteria. An example of the former is the 3DS2 multi-factor authentication protocol. 3DS2 essentially involves the provision of additional personal information like a customer’s profession or a fact related to them in addition to the primary account number. The primary objective of 3DS2 is to reduce friction during the checkout process. These protocols also consist of certain requirements unique to them, making payment service providers more responsible towards data security.
We are a PCI DSS compliant company. In case you are a merchant or a payment service provider that is looking for a compliant partner, you can reach out to us.
In conclusion, PCI DSS compliance is a status that instils a lot of confidence in your clients and customers as it guarantees a good standard of service and more importantly, security of data. Although the processes involved in it might seem a little complex, they ensure that your company maintains a good reputation. It is also, essentially recommended to consult a qualified QSA for the compliance who can cater to any specific doubts or issues that one might have.
Leave your questions
We will be there at Sigma 2021, Malta. Dive into the world of payments and technology with us and book a meeting to explore more!
The trusted white label payment platform is catered to ISOs, PSPs, Acquirers, Banks, and Online Merchants
Book a Meeting!instagramyoutubefacebooklinkedin