Businesses that accept card payments from customers take on a big responsibility. They must keep cardholders’ information secure before, during, and after transactions, implementing appropriate security measures to prevent fraud and keep bad actors from accessing their data.
PCI compliance requirements provide a clear security framework for these businesses. In this guide, we’ll take a closer look at the requirements, how to achieve PCI compliance, and best practices for businesses throughout this process.
Understanding PCI compliance
What is PCI compliance? It is a set of security standards and practices that applies to all businesses that store, process, or transmit credit card information. The main purpose of PCI compliance is to protect cardholders’ data and prevent fraud.
As we’ll cover in more detail below, there are 12 core security requirements for PCI compliance under the Payment Card Industry Data Security Standard (PCI DSS). Beyond these 12 standards, businesses face additional requirements depending on their annual transaction volumes, spanning from Level 1 to 4.
This covers things like using secure networks, imposing strict access controls, regular security testing, and more. The risks of non-compliance include fines, loss of processing capabilities, and reputational damage.
Key aspects of PCI compliance
For a better understanding of what PCI compliance is and how it works, here’s a quick overview:
- It applies to all businesses or merchants that accept, store, process, or transmit cardholder data.
- It is meant to protect sensitive cardholder data and build customer trust.
- The major credit card brands require these security standards for any merchant accepting their cards.
- PCI DSS is a set of 12 core security requirements covering technical and operational standards that businesses must implement.
- There are four PCI compliance levels based on the business’s yearly transaction volumes, which determine the specific requirements a business must adhere to.
How does PCI compliance work?
Businesses interested in getting PCI compliant may be overwhelmed by the technical nature of the security requirements.
However, the good news is that it is doable, especially considering that businesses of any size that collect, store, or process credit card information must be PCI compliant.
The following are some of the steps businesses can take to ensure PCI compliance:
- Check with the payment service provider (PSP): Verify which PSP the company uses. It’s possible PSP handles PCI compliance, so the business doesn’t have to.
- Review agreements/contracts: If the PSP does not take care of PCI compliance, the merchant should review the terms and conditions of their account agreement to understand their security requirements.
- Understand the PCI compliance level: Based on the annual number of transactions, the company should determine which level of PCI compliance it falls under.
- Take the self-assessment questionnaire: Businesses can complete the questionnaire provided by the PCI Security Standards Council to report their status. Keep in mind that larger businesses may need to get a third-party audit to verify their compliance.
- Regularly repeat: PCI compliance should be regularly reviewed, at least once a year, to ensure the business’s standards and practices continue to comply with the security requirements.
PCI compliance requirements
As mentioned above, PCI DSS has 12 core requirements. Here’s a closer look at each:
Install and maintain a firewall
The business must configure firewalls to protect cardholder data. This helps to restrict bad actors from gaining network access.
Change vendor-provided default passwords and security settings
New tools and solutions often come with default passwords or security settings out of the box.
The business should change the provided passwords and adjust security settings as desired, like restricting certain features or services, to minimize potential entry points.
Protect stored cardholder data
Try to avoid storing cardholder data unless absolutely necessary. For any data the company stores, it should have regular processes in place to dispose of the information.
Encrypt cardholder data for transmission across open, public networks
Employees should not send sensitive cardholder data through unencrypted channels. For example, they should not text a customer’s credit card information to another employee for processing.
Use antivirus software and regularly update it
Teams should install antivirus software on their devices and regularly perform updates to ensure it has the latest capabilities and security features.
Develop security systems and processes
Companies should have a vulnerability management program in place to regularly make updates to the system and software as needed.
Impose role-based access restrictions
Determine which roles in the company need access to sensitive cardholder information, and which do not.
Restrict access using role-based controls or user privileges to limit who has access to this data to complete their job duties.
Assign a unique ID to everyone with computer access
Everyone who accesses a computer or sensitive tool should have a unique identifier. This way, the company can authenticate users more effectively and limit access from unauthorized users.
Restrict physical access to cardholder data
At a company’s physical location, there should be security practices in place that limit or monitor access to sensitive areas. This may include installing security cameras near the cash register or POS system.
Track all access to the network and cardholder data
Keep time-stamped logs of all requests and access to sensitive data. Regularly review records for any suspicious activities that may warrant further investigation.
Regularly test security systems and processes
Do regular vulnerability checks or network traffic monitoring to verify that the security systems are working as intended.
Maintain an information security policy for all personnel
Create and share a security policy that clearly outlines the rules and requirements for employees. Review and revise the policy each year to keep it up to date.
Is PCI compliance mandatory?
The law does not require businesses to achieve PCI compliance. This requirement is imposed by the payment processors themselves, affecting a business’s ability to collect and process credit card payments.
Thus, the specific requirements or obligations that a business must comply with come from the agreement between itself and its payment processor. There are no state or federal agencies with oversight for PCI DSS. Instead, the security standards are set by the PCI Security Standards Council.
If a business is found non-compliant, the payment processor can impose fines, increase transaction fees, or restrict access to their services.
Best practices for maintaining PCI compliance
Managing PCI compliance can feel daunting, though it’s crucial to maintain a good status with payment processors and safeguard customers’ credit card information.
Here are some best practices to keep in mind when maintaining PCI compliance:
Ongoing monitoring and risk management strategies
Achieving PCI compliance should not be thought of as a one-time endeavor. Instead, it should be something that the organization consistently monitors to ensure that the security policies and systems put into place are working as intended.
Regular security scans every month or quarter can help identify and fix potential vulnerabilities. It can also be useful to review general credit card-related processes to see what can be improved to strengthen security.
Training staff on compliance and security awareness
Likewise, PCI compliance is not only relevant to security teams and business leaders. Anyone within the organization who collects, handles, or stores cardholder data plays an important role in upholding PCI compliance.
As such, they should be made aware of the relevant policies and practices to keep cardholder data secure.
While it’s not a specific PCI DSS requirement, it may make sense to hold regular training sessions to raise awareness across all levels and highlight any new internal policies or procedures.
Utilizing technology and tools to streamline compliance efforts
Businesses don’t have to rely strictly on manual efforts to stay on top of PCI compliance or monitor access logs.
Instead, teams can leverage automation and other advanced tools like artificial intelligence (AI) and machine learning (ML) to assess large volumes of data with more efficiency. In turn, these tools can determine regular patterns for cardholder data access and more easily spot anomalies as they occur.
Get peace of mind with BILL
Feel confident including BILL Spend & Expense in your tech stack and financial operations.
It’s PCI compliant for organizations handling branded credit cards, with advanced security measures like real-time transaction monitoring, multi-factor authentication, and secure data centers.
Ready to get started? Sign up for your free trial of BILL today!
