When you accept credit or debit cards and other forms of electronic payments, your business enters a complex transaction processing system with many players involved. Just as electronic payments have witnessed a revolution over the last two decades so too fraud has evolved and taken a financial toll on the payments industry. In 2021 alone, online users in the UK lost £1.3 billion over cybercrime, with a nearly 40% surge in authorised push payment (APP) scams.
How have payment security standards responded to threats from data breaches and card fraud? Every merchant who collects, stores, and transmits card payments must be compliant with the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS compliance, a standard set up and regulated by PCI DSS, is key to safeguarding your customers' data and your business against card payment fraud and sensitive data breaches.
In this guide, we'll spotlight what PCI compliance is, how you can identify your current level of PCI compliance and ways to remain PCI-compliant to avoid compromises and crippling fines that may harm your revenue and business reputation.
Watch our video to learn all you need to know about the PCI DSS standard.
What is the PCI DSS?
PCI DSS, meaning Payment Card Industry Data Security Standard, is a protocol set up by the card schemes (Visa, Mastercard, American Express, Discover and JCB) in 2006 to manage data security standards for businesses that store, transfer, and process cardholder data. The standard aims to ensure protection for consumers and banks within the online payments ecosystem, where sensitive data is susceptible to fraudulent misuse.
The PCI DSS includes 12 high-level requirements with 300+ sub-requirements that fall under the following categories:
- Build and maintain a secure network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect cardholder data
- Protect stored data with encryption
- Encrypt transmission of cardholder data and sensitive information across public networks
- Maintain a vulnerability management programme
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement strong access control measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an information security policy
- Maintain a policy that addresses Information Security
What is PCI compliance?
PCI DSS compliance (PCI compliance for short) adheres to PCI DSS requirements and has infrastructure and processes in place to protect consumers' card information against data breaches and fraud. It's worth pointing out that PCI compliance is a standard made by the major card schemes. Ensuring PCI compliance is relevant to any merchant that accepts card payments, regardless of vertical and transaction volumes. The full PCI DSS document can be accessed here.
These are the three main areas that PCI involves:
Handling card data
If your customers input their sensitive credit card details on a payment page which is hosted on your server, you'll be required to be PCI compliant and meet each of the 300+ security controls outlined in PCI DSS. In essence, your company will most probably need to purchase, apply, and maintain security software and hardware while having a robust security system.
If your customers enter their card details on a page hosted by your payment service provider (PSP) or acquirer, the PCI compliance liability shifts to the payment service provider who handles your payments and your PCI costs are reduced to a great extent.
Securely storing data
If your organisation handles and stores payment card data, you will need to define the scope of your Cardholder Data Environment (CDE). According to PCI DSS, CDE includes all people, processes and technology involved in the processing, storing, and transmitting of payment card data. This means that your organisation must limit the payment environment from the rest of the business to contain the CDE scope. Otherwise, you risk applying all 300+ security controls to each computer and device within your company, which only increases your expenses and infrastructure burden.
Annual PCI compliance validation
Every organisation that deals with sensitive card data is required to complete a PCI validation form every year. There might be merchants who don't feel they're fully in line with PCI standards, or they may have concerns that their infrastructure could expose data not only to external fraudsters but also internally across their organisation.
In such cases, you may consider hiring a qualified independent consultant who can provide objective consultation as to how you can achieve PCI compliance, along with Qualified Security Assessor (known as QSA) who can audit to test your internal security (more of this below).
The latest version 4.0 of the PCI DSS further revises data security standards for every organisation that deals with sensitive payment card information. Although the current version (3.2.1) remains valid until March 2024, organisations that are subject to the PCI DSS should prepare for the update as soon as possible (Find everything you need to know about the updated regulation here).
Is there a penalty if a merchant is not PCI compliant?
As mentioned, PCI is not a law. However, card schemes are responsible to administer fines to acquirers who process payments for merchants involved in a data breach and that do not comply with PCI DSS. As a contractual rule, the acquirer transfers the fine to the merchant potentially alongside other costs, including payment card replacement costs, increased fees per transaction, and so forth.
PCI levels and how to achieve compliance
All merchants fall into one of the following levels of PCI compliance, typically based on the volume of credit and debit card transactions they process during a year — either online or face-to-face.
PCI compliance Level 1
PCI compliance Level 1 is the strictest in terms of requirements. It applies to any organisation that processes more than six million transactions annually, has undergone several data breaches, or is classed as Level 1 by the card schemes.
The requirements related to Level 1 involve:
- Filing Level 1 on-site assessment – an annual Report on Compliance (ROC) by a QSA or Internal Security Assessor (ISA) if signed by an officer of the company. These auditors will review your documentation and technical information to determine whether the PCI DSS's requirements are being met.
- Undergoing a quarterly network scan by Approved Scan Vendor (ASV). (Here's a list of approved scanning vendors by PCI DSS).
- Completing the Attestation of Compliance (AoC) for on-site assessments.
PCI compliance Level 2
PCI compliance Level 2 applies to every organisation that processes between one to six million card transactions annually.
The requirements related to Level 2 involve:
- Completing the annual PCI DSS Self-Assessment Questionnaire (SAQ) (There are nine SAQ types shown briefly further down below).
- Completing and obtaining evidence of a passing vulnerability quarterly scan with an ASV.
- Completing the Attestation of Compliance (AoC) according to their SAQ classification.
- Submitting SAQ, AoC, along with any other requested documentation, to their acquirer.
PCI compliance Level 3
PCI compliance Level 3 applies to organisations that process between 20,000 to one million online transactions annually.
The requirements related to Level 3 involve:
- Completing the annual PCI DSS SAQ. (There are nine SAQ types shown briefly further down below).
- Completing and obtaining evidence of a passing vulnerability quarterly scan with an ASV.
- Completing the AoC according to their SAQ classification.
- Submitting SAQ, AoC, along with any other requested documentation, to acquirer.
PCI compliance Level 4
PCI compliance Level 4 applies to organisations that process fewer than 20,000 online transactions annually or organisations that process up to one million transactions in total, annually.
The requirements related to Level 4 involve:
- Completing the annual PCI DSS SAQ. (There are nine SAQ types shown briefly further down below).
- Completing and obtain evidence of a quarterly vulnerability scan with an ASV.
- Completing the AoC according to their SAQ classification.
- Submitting SAQ, AoC, along with any other requested documentation, to their acquirer.
Self-Assessment Questionnaire (SAQ)
For PCI compliance Levels 2, 3 and 4, PCI has created nine different forms of Self-Assessment Questionnaires (SAQs). There are different SAQs for each compliance level and different AoC forms for each level. It can prove challenging to identify which SAQ form to use. Your payment service provider or acquirer will help you determine which are the right documents based on your payment integration method (Watch our video about payment integration or read our relevant article to find out which integration best suits your business).
Here's a brief description of the SAQ types:
SAQ A covers card not present merchants (eCommerce and mail/telephone orders – MOTO – payments) who have outsourced all cardholder data functions to a PCI-compliant payment service provider, and do not process, store, or transmit any cardholder data on their system premises. ASV scanning is not required for SAQ A.
SAQ A-EP covers only eCommerce merchants who use a client-encryption integration method – that is, they have outsourced all cardholder data functions to a PCI-compliant payment service provider SAQ A-EP requires ASV scanning.
SAQ B covers merchants (excluding eCommerce) using only imprint machines with no digital cardholder data storage, and/or basic dial-out terminals which connect directly to the phone line rather than electronically. SAQ B doesn't require ASV scanning.
SAQ B-IP covers merchants (excluding eCommerce) using only standalone approved PIN Transaction Security (PTS) POS terminals with an IP connection to the payment service provider with no electronic cardholder data storage. SAQ B-IP requires ASV scanning.
SAQ C covers merchants (excluding eCommerce) with payment applications connected to the internet with no electronic cardholder data storage. SAQ C requires ASV scanning.
SAQ C-VT covers merchants (excluding eCommerce) who manually input a single transaction at a time via a keyboard into a web-based virtual payment terminals provided by a PCI-compliant third-party payment service provider.
SAQ P2PE covers merchants (excluding eCommerce) using only hardware-based payment terminals managed by a validated, PCI SSC-listed point-to-point encryption (P2PE) payment solution without electronic cardholder data storage.
SAQ D covers PCI-compliant merchants who use a server-to-server integration – namely, they have a direct connection to the payment gateway of their payment service provider and store card details on their server. It also covers all payment service providers defined by a payment card brand as eligible to complete an SAQ.
PCI compliance checklist
Below we outline actions that are integral to the annual PCI compliance checklist for merchants who do not use a hosted payment solution. Bear in mind that you also need to undertake security scans by an ASV every quarter.
- Complete the annual Risk Assessment on the website page where the card data is handled or relates to the CDE.
- Ensure third parties that store, process and/or transmit card data, or are connected to the CDE, provide evidence that they are PCI compliant and are registered with the card schemes.
- If using a hosted payment page for your website, you must ensure the product and the version you are using are PA DSS compliant (Payment Application Data Security Standard, which applies to developers of payment applications). Also, make sure you fully adhere to the guidelines provided by the supplier.
- Train your staff to follow PCI-DSS procedures.
- Make sure that you are only keeping payment data that is essential and ensure that it's encrypted when transmitted across public networks.
- Set up security controls to monitor and control access to your eCommerce CDE.
- Safeguard sensitive cardholder information by positioning and maintaining firewalls and up-to-date antivirus software.
- Ensure that the shopping cart integration is the most up-to-date version available.
- Protect your website security and discuss with your web hosting provider to ensure that they have secured their infrastructure. Merchants should encourage their web host provider to adopt system hardening standards and disable default settings.
- Run annual Pin Entry Device (PED) tests and after any significant change to the CDE.
- Make sure that the vendor of the software or hardware you use to process transactions has product approval from the Payment Card Industry Security Standards Council (PCI SSC).
How can emerchantpay help with PCI compliance?
PCI compliance is an indispensable element for a business that accepts card payments. Committing to secure transactions for your customers always increases trust for your brand and protects you from non-compliance fees and penalties.
emerchantpay is a PCI level 1 compliant payment service provider and acquirer – meaning that we can help you minimise your PCI burden with three different solutions. First, our hosted payment page has minimal PCI burden for the merchant (SAQ A), meaning that the merchant fully outsources all cardholder data functions to us, with no storage, processing, or transmission of cardholder data involved in their systems. Merchants using this solution, where the payment page is hosted on our server, can ensure the highest level of security. Integrating this solution could also allow you to save on infrastructure and invest your budget in other activities within your organisation.
Second, our client-encryption solution applies to eCommerce merchants who outsource all payment processing to PCI-compliant payment service provider. Equally, this solution mitigates the PCI burden to SAQ A-EP, which is stricter than SAQ A but significantly less hassle than SAQ D. Using this integration enables you to accept secure payments, customise and control the payment page while reducing your security costs.
Third, with the server-to-server integration, merchants need to be fully PCI DSS compliant. This integration provides full control over the payment page, while it requires SAQ D, the highest level of PCI SAQ requirements to ensure the security of an online transaction.
Want to know how to accept secure payments via our PCI Level 1 payment gateway and acquiring services? Talk to our team of our payment experts today.
Related articles
Understanding clearing in payments
In the intricate space of payments, the term “clearing” plays a pivotal role in making sure that financial transactions are performed [Read more]
End-to-end encryption (E2EE) – what is it and how does it work?
If your business accepts card payments, it’s your responsibility to keep your customers’ private data safe. Encryption is a powerful [Read more]
All you need to know about PCI DSS v4.0
The payment card data of millions of consumers have been compromised in the hands of cyber-criminals, with organisations paying a hefty [Read more]