PCI Compliance

A Complete Introduction

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security criteria designed to standardize the way that all businesses that accept, transmit, process, or store credit card data to maintain the security of the environment. The PCI DSS applies to all organizations, regardless of number of transactions or size, that transmit, accept, or store any cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) administers and manages the PCI DSS. The major payment card brands (MasterCard, Visa, Discover, American Express, and JCB) created PCI SSC as an independent body on September 7, 2006 to manage security standards as the industry evolved, improving account security at each step of the transaction. However, the PCI council does not enforce compliance; that is the responsibility of payment brands and acquirers. Find a copy of the PCI DSS template including a formal PCI compliance definition from the PCI Security Standards Council here.

What is PCI Compliance?

Credit card companies mandate payment card industry data security standard (PCI DSS) compliance to help ensure credit card transactions remain secure in the payments industry. PCI compliance guidelines include the operational and technical standards that businesses use to protect, transmit, and secure credit card data cardholders provide during card processing transactions. The PCI Security Standards Council develops and manages PCI DSS compliance certification rules, procedures, and guidelines.

The Payment Card Industry Data Security Standards (PCI DSS) PCI compliance framework includes 6 broad objectives (sometimes referred to as the 6 compliance groups for PCI DSS), 12 major PCI compliance requirements, 78 basic requirements, and more than 400 test procedures. Companies that achieve and maintain PCI DSS requirements are considered to be PCI compliant.

Beyond the full Primary Account Number (PAN) which qualifies on its own, the PCI SCC defines cardholder data as any of these additional elements: cardholder name, service code, or expiration date. Businesses must also protect Sensitive Authentication Data, including complete magnetic stripe data, CVC2, CAV2, CID, CVV2, PINs and PIN blocks, and other data.

For PCI DSS audit procedures and other PCI DSS purposes, a merchant is any entity that accepts payment cards for goods and/or services from American Express, JCB, Discover, Visa, or MasterCard—any of the five PCI SSC members. Merchants may also be service providers, depending on how they store, process, and transmit cardholder data on their own behalf or on that of other service providers or merchants.

Within the PCI DSS framework, a service provider is any business entity other than a payment brand that is directly involved in the storage, processing, security, or transmission of cardholder data. The PCI SSC clarifies that a merchant that ends up storing, processing, securing, or transmitting cardholder data for other service providers or merchants is itself also a service provider.

FAQs

What is a PCI Compliance Audit?

Credit card companies require PCI compliance audits of certain merchants that process and/or store credit card information. The goal of the PCI DSS compliance audit is to ensure merchants comply with the Payment Card Industry Data Security Standard (PCI Data Security Standard). PCI DSS audits may be routine, or triggered by alleged violations.

Qualified security assessors conduct PCI DSS compliance audits of a business IT architecture, including point-of-sale systems, to determine whether internal operations meet cardholder information security standards.

What is Required to be PCI Compliant?

To achieve PCI DSS compliance, a business must consistently adhere to the Payment Card Industry Data Security Standards (PCI DSS), guidelines set forth by the PCI Security Standards Council (PCI SSC). The most recent version of PCI DSS, version 3.2.1, was released in May 2018.

PCI compliance procedures are central to the security protocol used by credit card companies, which generally mandate them in practice and in network agreements. Requirements and standards for PCI compliance security are developed by the PCI SSC.

PCI compliance standards apply to both merchant processing and now also in the context of encrypted internet transactions. These PCI DSS best practices are also considered security best practices.

PCI DSS compliance standards require businesses such as merchants to process, store, manage, transmit, and otherwise handle credit card information securely in a PCI compliant environment to reduce the likelihood of theft of sensitive financial account information from cardholders. To achieve this goal, PCI DSS has six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures.

Overall, the PCI compliance requirements outline steps and processes to follow, but first demand that businesses assess their networks and systems. This involves an assessment of business processes, information technology (IT) infrastructure, and credit card handling procedures.

To avoid the theft of sensitive cardholder information, such as driver’s license and social security numbers, constant assessment of any gaps in security and maintenance of existing systems is critical. As part of their card processing agreements, businesses must provide regular PCI security compliance reports. Assessments, monitoring, and audits of PCI DSS are all important security department tasks.

As enterprises assess PCI DSS compliance software and other PCI DSS compliance solutions, it pays to keep these six major PCI DSS principles front of mind.

1. Build and Maintain a Secure Network

Firewalls are essential to PCI DSS compliance certification. Install and maintain a firewall configuration to protect secure networks and cardholder data.

Firewalls rely on their ability to inspect and compare network traffic to a set of configured rules, so it’s critical to review and update them regularly. Firewall rules must limit traffic to only known, documented services and ports. Every open service and port must have a business justification.

Bad actors and cybercriminals have easy access to vendor-supplied defaults for system passwords, SNMP community strings, and other security parameters. Remove all undocumented and insecure services, or you risk attackers compromising cardholder data after exploiting your internal networks.

2. Protect Cardholder Data

Whenever possible, eliminate storage of cardholder data to that which is required for regulatory, legal, or business needs. Never store Sensitive Authentication Data (SAD) such as the data on the magnetic stripe, the EMV chip, the CVV, and the PIN after authorization.

Store cardholder data including the PAN (Primary Account Number), cardholder name, and expiration date, only when necessary, and then only once rendered unreadable.

Encrypt transmission of cardholder data with strong cryptography over public networks. Never send PANs through end-user messaging such as email, Chat, IM, etc.

3. Maintain a Vulnerability Management Program

Protect all systems against malware and viruses with current anti-virus programs or software. Anti-virus software must remain updated, and should periodically scan and generate PCI compliance audit logs. Only authorized administrators should be able to disable anti-virus software, and then only for a limited time. End users should not be able to disable anti-virus programs.

Develop and maintain secure applications and systems. Businesses and developers should identify and classify new vulnerabilities based on the risk they pose to the cardholder data environment. Account for common coding vulnerabilities in software development such as cross-site request forgery, cross-site scripting, and buffer overflows by training developers regularly. Test public-facing web applications with PCI DSS compliance tools, application security tools, or application penetration testing techniques routinely, and deploy a Web Application Firewall.

4. Implement Strong Access Control Measures

Access to cardholder data should be restricted based on business need to know. This role-based access means that a user can access only the minimum amount of data necessary to perform their job function. Use access control and video monitoring to restrict and monitor physical access to cardholder data and secure areas within the cardholder data environment.

This need to know or least access principle also applies to system component access. Any users not specifically granted authorization for a valid business need should be denied access via a “deny all” setting, and access to system components should only be granted after Multi-Factor Authentication. In addition to a password, MFA requires a second piece of authentication such as a device-local biometric scan, code sent to a registered device, or key fob/smart card.

Retain access data for 90 days unless prohibited by law. Destroy any media containing cardholder data when no longer needed. Shred paper forms containing cardholder data past the defined retention period. Maintain an inventory of point of interaction devices and protect them from tampering or replacement.

5. Regularly Monitor and Test Networks

Various PCI compliance server requirements ensure a high-security environment for cardholder data. Monitor and track all access to cardholder data and network resources. Perform internal and external vulnerability scans and penetration testing.

All login systems must tie actions to individual accounts, log actions, and retain logs for a minimum of one year with three months readily available. Review logs daily and address all anomalies immediately. Intrusion detection and file integrity monitoring systems should alert the team of unexpected changes in the environment. Backup logs to a centralized server to avoid deleting or altering log information.

6. Maintain an Information Security Policy

Entities must develop and maintain an information security policy that documents all organizational policies and procedures related to cardholder data. Usage policies should clarify which users are authorized to use which devices, in which locations, for what purposes.

Create incident response plans that include continuity plans, requirements to notify card brands, and data backup plans. Follow public notification rules in your jurisdiction.

Who is Required to be PCI Compliant?

All entities that process credit card data are required by their card processing agreements to be PCI compliant. PCI compliance is the industry standard because, without it, businesses are highly vulnerable to fraud, theft, and data breaches. Without adhering to the proper standards, anyone handling credit card information is at risk of substantial PCI compliance fines for negligence and agreement violations.

Cardholder data, sometimes called payment data, covers information such as the full primary account number (PAN), the expiration date, the cardholder’s name, and the credit card service code. The sensitive authentication data in the magnetic stripe data is also protected, including PINs, PIN blocks, CVC2, CAV2, CID, and CVV2.

PCI DSS standards apply to:

  • Card readers
  • Online payment applications
  • Payment card data storage and transmission
  • Point-of-sale (POS) systems
  • Payment card data stored in paper records
  • Shopping carts
  • Store networks
  • Wireless access routers that handle cardholder data

Using a third-party company or PCI DSS compliance service can reduce exposure and effort to validate compliance, but it does not eliminate an entity’s PCI and DSS compliance duty.

Is PCI Compliance Required by Law?

PCI compliance is not itself a law. It is a standard that major credit card brands including MasterCard, Visa, Discover, AMEX, and JCB created.

Typically, credit card companies do not directly handle payment processing functions. Instead, third party processors such as Moneris Solutions or Chase Paymentech handle transactional services for them.

As PCI compliance breaches or violations occur, credit card companies administer fines to merchant banks at their discretion. The banks, or similar financial institution, called the acquirer, tend to pass those fines on toward the merchant. PCI DSS non-compliance penalties range from $5,000 to $100,000 per month, and the merchants may also be subject to additional penalties from their banks.

Once there is a breach, the processor or bank may require the merchant to move up a level in compliance, meaning their PCI DSS compliance requirements will be even more stringent in future.

In addition, according to the ABA, although the PCI DSS is not written into the law, it has legal consequences for merchants in at least two ways. The first is the PCI non-compliance penalties which are the result of the contractual relationship with the credit card company, as discussed above. The second is that states may codify portions of the PCI DSS into law.

Furthermore, failing to become PCI compliant can certainly have indirect consequences, such as causing harm to a brand’s reputation, as described below.

How to Become PCI Compliant

Achieving PCI DSS compliance starts with three steps: assess, remediate, and report.

First, assess by performing an internal audit against a PCI DSS compliance audit checklist. This audit will identify all cardholder data the business handles, inventory business processes and IT assets for payment card processing, and analyze the processes and assets for vulnerabilities.

Then, remediate any vulnerabilities identified in the audit. Ideally, only store cardholder data when absolutely necessary. Always store cardholder data with an external qualified body rather than internally if possible. Not transmitting or storing cardholder data at all is the fastest route to PCI compliance.

Finally, compile and submit the PCI report on compliance for each card brand and bank. This will include any applicable required remediation validation records and the relevant institutional PCI compliance records.

The PCI Compliance Self-Assessment Questionnaire (SAQ)

Depending on your business, determine which PCI compliance self-assessment questionnaire (SAQ) is appropriate for validating compliance. Complete the questionnaire carefully according to its instructions. Some merchants must pass a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and present evidence of a passing PCI compliance scan with their SAQ.

The relevant attestation of compliance is located in the SAQ tool. Complete it and submit it along with the SAQ, any other requested PCI DSS compliance documentation, and evidence of a passing PCI compliance scan if applicable, to the acquirer.

Although the SAQ is relatively short and can itself be completed in several hours or a day by a qualified person, achieving compliance demands besting a number of significant technical challenges.

On average, for a Level 3 or Level 4 merchant, it takes an experienced systems administration team several business days to secure a single server and prepare the appropriate PCI DSS compliance documentation. The cost for this type of service is approximately $15,000.

Without support from an outside partner and use of PCI compliance products, merchants who are already adept with data security and are attempting to reach PCI compliance themselves can still expect to spend several weeks completing key tasks to achieve PCI compliance:

  • Research PCI Data Security Standards (DSS)
  • Identify the appropriate level of compliance and required PCI SAQ
  • Secure physical servers (potentially a large, very expensive piece of the project)
  • Inspect all third party software components or plugins on servers cardholder data passes through for PCI compliance, verify probative external documentation
  • Complete PCI SAQ and Attestation of Compliance (ROC)

This can take weeks of time and tens of thousands of dollars, especially for complex undertakings involving merchants both capturing and retaining cardholder data in more than one onsite data center. It also requires a multidisciplinary team, typically some combination of: business analysts, e-commerce platform developers, legal, project managers, resource protection staff, system administrators and possibly a third-party Qualified Security Assessor.

What is Needed for PCI Compliance?

As mentioned above, there are 12 requirements for PCI DSS compliance. Typically, these 12 PCI compliance regulations comprise the meat of most PCI compliance checklists and are the focus of most PCI compliance products.

1. Use and Maintain Firewalls

Firewalls prevent unauthorized foreign or unknown entities from accessing private data and serve as the first line of defense against cyber attacks. Since firewalls help prevent unauthorized access and cardholder data theft no longer requires access to be physical, firewalls form an essential component of PCI DSS compliance.

More specifically, this first requirement requires merchants and Independent Software Vendors (ISVs) to configure firewalls and routers appropriately. Whenever software or hardware changes are made, firewall and router standards should allow the organization to conduct standardized testing of the new equipment.

Except in cases where a specific communication protocol is required to process cardholder data, configuration rules should restrict all untrusted traffic. Review all rules biannually.

Internet users must be prohibited from accessing any component inside the cardholder data environment (CDE). This extends to mobile devices of employees covered by BYOD policies, and any other devices that access the organization’s network, which must have personal firewall software.

2. Proper Password Protections

Modems, point of sale (POS) systems, routers, and other third-party products often come with generic security measures such as default passwords. Although these vulnerabilities are easily accessed by the public, businesses often fail to secure them.

To ensure PCI compliance in this area, keep an inventory of all software and devices which require any security to access. Enact basic configurations and precautions such as changing the default passwords.

3. Protect Cardholder Data

PCI DSS compliance requires several cardholder data protection measures. Cardholder data must be encrypted with certain algorithms and encryption keys. To ensure no data remains unencrypted, businesses must scan and maintain primary account numbers (PANs) regularly and display them revealing only the first six and last four digits.

To prevent unauthorized usage, never store cardholder data unless required for business, legal, or regulatory needs. When storage is necessary, organizations should purge the data at least every few months and storage and retention time should be kept to a minimum. Even when encrypted, sensitive data should never be stored beyond what’s necessary to finalize a transaction.

Payment card brands and additional legal requirements may further limit data that merchants can display on point-of-sale (POS) receipts, and this requirement does not supersede those.

4. Encrypt Transmitted Data

Cardholder data such as account numbers should never be transmitted to unknown locations in any form. This data must be encrypted when it is sent across ordinary channels such as to payment processors or online retailers.

This requirement demands strong security and cryptography protocols. It also recommends protocols to protect cardholder data during transmission such as SSH, IPSec, and TLS, and requires the latest industry standards for wireless networks, such as IEEE 802.11i.

When cardholder data is transmitted across public networks, cyber criminals can potentially access it. Encrypting cardholder data prior to transmitting it limits its utility to thieves should they gain access to it.

5. Use and Maintain Anti-virus

PCI DSS certification requires a vulnerability management program—an ongoing, proactive approach to identifying weaknesses within a payment card system. This in turn demands the deployment of anti-virus software on not only core systems but also any laptops, workstations, and mobile devices that may be used to access the system remotely and/or locally. Anti-virus software should always be active and deployed on all systems, generating auditable logs, and using the latest dictionaries.

There is no good argument against installing anti-virus software, even outside the realm of PCI DSS compliance. However, regularly patched and updated anti-virus software is required for any devices that store and/or interact with PAN. Anti-virus measures should also be employed by your POS provider where anti-virus software cannot be installed directly.

6. Develop and Maintain Secure Systems and Applications

Anti-virus software and firewalls demand frequent updates. It is a best practice to update each piece of software, and these updates are required for all software on devices that store and/or interact with cardholder data. Most software updates include patches and other security measures that address recently discovered vulnerabilities, which add another level of protection and limit the potential for exploits.

Independent Software Vendors (ISVs) must ensure merchants are aware of critical patches and can access and execute them easily and in a timely manner. They should also create a process for ranking newly discovered vulnerabilities. Any code an ISV creates must adhere to PCI DSS compliance regulations, and developers must analyze all new and changed code for all known vulnerabilities as well as any previously unknown weakness in the new code.

7. Restrict Data Access

Need to know is central to PCI DSS compliance online. An access control system must assess requests based on multiple factors, including the circumstances surrounding the request and the identity of the agent making it.

The PCI DSS standard requires that merchants document the roles that do need access to sensitive data carefully and update those records regularly. The goal is to allow only authorized access—not to focus on criminals as the only users with potentially unauthorized access. Even a user or entity that is typically authorized may request unneeded data in the context of a specific task. If it does, that unauthorized request would be denied.

8. Unique IDs for Access

Those users who do have authorized access to cardholder data should have individual IDs and credentials for access. In other words, there should not be a common username and password for multiple employees. Unique IDs create a quicker response time and less vulnerability if data is compromised. This is because any access of cardholder data can be either traced to a known user or recognized as unauthorized access immediately.

PCI DSS also requires two-factor authentication for remote access. You cannot reuse one factor, and it is not recommended to use two distinct passwords. Instead, PCI DSS recommends token technologies.

9. Restrict Physical Access

Restrict physical access to all cardholder data, and ensure that location is secure. Maintain backups at a site other than the primary location. Both digital and physical data should be physically secured and subject to monitored, limited access rules. To remain PCI compliant, anytime sensitive data is accessed, that activity should be logged.

PCI DSS security controls also involve limiting the physical access that parties such as employees, consultants, contractors, guests, and vendors may have to this sensitive data. Access includes any chance to retrieve data via devices, systems, and hard copies.

This level of protection demands on-site access control that monitors, logs, and restricts movement within an installation. Develop procedures that allow for quick and easy identification of unauthorized parties, and dedicate security personnel to enforcing the rules.

Create procedures to control data distribution after approved access to prevent exposure. Finally, it is essential to destroy all data the business no longer requires.

10. Create and Maintain Access Logs

Basic PCI compliance requires accurately documenting how many times data access is required, and how data flows into your organization. All activity concerning primary account numbers (PANs) and cardholder data requires a log entry. Both physical and wireless networks connect cardholder access points, and vulnerabilities in these networks make data theft easier for criminals. By requiring organizations to test and monitor their networks regularly, PCI DSS aims to prevent these exploits.

In terms of PCI DSS compliance tools, this requires forensic capabilities as well as real-time monitoring and logging. The ability to reconstruct events via automated audit trails are also necessary. Audit trail records must meet high standards for their information quality, with time synchronization required. Audit data must be secured and maintained for at least one year.

11. Scan and Test for Vulnerabilities

The PCI DSS requirement for regular scans and vulnerability testing can mitigate many other threats, including from human error. Criminals, researchers, and many others regularly introduce vulnerabilities into processes and systems via new code. These frequent environmental changes mean the entire system must be scanned and tested often to maintain security.

Organizations must test for wireless access points that may be unauthorized every few months. External and internal vulnerability scans are also required whenever a significant network change has been made, and at least every few months. Other ongoing requirements include the use of intrusion detection and prevention systems and penetration testing.

Weekly file monitoring and comparisons are necessary to detect changes. Whenever a user has modified a configuration, content, or system file in an unauthorized way, this technique can raise an alert.

12. Document Policies

To achieve PCI compliance certification, it is necessary to document an inventory of employees with access, equipment, and software. Cardholder data access logs also require documentation. In fact, the flow of information into the business, including how it is used after the point of sale, and where it is stored, all must be documented.

This relates to the PCI DSS compliance guideline of implementing, maintaining, publishing, and disseminating an information security policy for all employees and other relevant parties. The policy must be challenged and revised as required annually. All usage policies and security procedures must be in accordance with the primary information security policy.

There must be at least one agent—and, depending on the scope, perhaps an entire team—who is responsible for these obligations. The tasks associated with these personnel, typically the PCI compliance manager and their team, are screening prospective contractors, employees, and others in the hiring process to avoid internal data breaches and creating information security awareness campaigns.

Use these detailed 12 PCI compliance requirements as a PCI DSS compliance checklist.

How Long Does it Take to Become PCI Compliant?

The actual PCI compliance certification process takes between one day and one week, typically. However, the total time to achieve PCI DSS regulatory compliance depends on many factors, including on how long it takes the business to pass a PCI compliance scan and complete the required self-assessment questionnaire and PCI DSS report on compliance. Most realistic PCI DSS compliance project plans reflect the entire PCI DSS compliance process taking between several weeks and several months.

When Did PCI Compliance Start?

PCI compliance history begins in December 2004, when JCB, American Express, Discover Financial Services, Visa, and Mastercard introduced the PCI-DSS 1.0. The goal was to develop a common set of security standards in response to rising levels of payment fraud. From that time onward, all payment processing organizations and merchants accepting credit cards were required to comply with the new standard.

In 2006 version 1.1 of the PCI DSS was released. This version created the PCI Security Standards Council (PCI SSC), an independent oversight group for the standards. It also called for merchants to establish firewalls for added security and review all online applications.

The PCI SSC introduced version 1.2 in October 2008, which established guidance for implementing antivirus software and protecting wireless networks. In October 2010, PCI DSS 2.0 took effect to streamline the assessment process.

Version PCI DSS 3.0 compliance emphasized three major areas starting in January 2015: more flexible secure authentication methods; increased security awareness and education among all personnel of organizations that accept credit cards; and a renewed focus on security as a shared responsibility given the modern proliferation of multiple third-party touchpoints.

The current version of PCI DSS 3.2.1 was from May 2018. PCI DSS 3.2.1 presents new service provider sub-requirements, including new appendices on SSL/TLS migration and multi-factor authentication requirements.

What are the Benefits of PCI DSS Compliance?

There are many benefits of PCI DSS compliance, particularly since PCI non-compliance can result in serious, long-term consequences. Some of the benefits include:

  • PCI compliance leads to repeat customers and customer confidence, because it signals secure systems, empowering consumers to trust your business with their sensitive payment card information.
  • PCI compliance improves your reputation with payment brands and acquirers.
  • PCI compliance is part of an ongoing process that helps prevent payment card data theft and security breaches now and in the future.
  • Achieving PCI compliance better positions your business to comply with additional regulations, such as SOX, HIPAA, and others.
  • PCI compliance can improve IT infrastructure efficiency and augment corporate security strategies.

PCI non-compliance comes with its own consequences, some of which are potentially disastrous. Possible results of PCI non-compliance include:

  • Negative impacts to financial institutions, merchants, and consumers from compromised data.
  • Severe damage to the ability to conduct business effectively and reputation.
  • Account data breaches can lead to loss of community standing, stricter/different levels of PCI compliance, relationships, sales, and in the case of public companies, a loss in share price.
  • Canceled accounts, government fines, PCI non-compliance fees, insurance claims, lawsuits, and payment card issuer fines.

What is PCI-Compliant Hosting?

A PCI-compliant cloud hosting or PCI-compliant cloud storage service is designed to help merchants that process credit card transactions conform to PCI standards. Even under a compliance audit, you can depend on PCI-compliant hosting services to meet the PCI standards.

In some cases, merchants are subject to PCI compliance internal audits. Auditors ensure cardholder information is handled safely by assessing all aspects of business IT operations, including processing, transmission, and storage.

PCI-compliant hosting creates a secure cardholder data environment and a safe internet connection between the company’s web server, the consumer’s browser, and into the cloud and everywhere else the cardholder data goes.

An SSL certificate alone is not enough to achieve cloud PCI compliance. High assurance OV SSL certificates provide the initial level of customer reassurance, but SSL certificates do not secure a web server from malicious intrusions or attacks. Each requirement for a secure PCI DSS environment will also apply in a cloud PCI compliance setting.

Ecommerce Platforms and PCI Compliance

It is possible to run either commercial software or open source software on your on-premise hardware, or to use hosted software delivered as a service (SaaS). Each approach strikes a different balance between your ecommerce PCI risks, benefits, and costs.

Commercial software requires the business to pay for licensing, annual support, and the cost of hardware and maintenance. Depending on the type of ecommerce software, it might require work to be PCI compliant, or it might be PCI compliant out of the box. This solution works best for enterprises who buy and maintain on-premise hardware anyway, take the same position on software licensing and support, and maintain their own in-house IT personnel. The drawbacks include the unknown burden of handling some of your own PCI compliance and the high costs of software, hardware, and support.

Open source software run in-house eliminates the software license fee but does maintain the cost of hardware. It also adds the task of assembling, compiling, installing, and tweaking custom software without support. This option works best for companies with high technical expertise with open source code, that are able to carefully document every step of the process in detail and buy and maintain on-premise hardware or familiar with using a public cloud. The downside includes the responsibility of PCI website compliance resting solely on the shoulders of the business.

Hosted Software-as-a-Service (SaaS) runs in a secure data center on hardware maintained by your service provider, and is accessed online. This option removes the need for on-prem ecommerce hardware and software, and enables PCI compliance with less time output for what is usually a monthly fee.

The SaaS option is ideal for businesses that cannot devote dedicated staff or extensive time to customizing code and who cannot afford to maintain extensive hardware and software. This option also allows you to use a hosted ecommerce service rather than developing PCI DSS policies and writing PCI reports on compliance in-house. While the Level 2-4 merchant using the SaaS option still must complete an SAQ and a Level 1 merchant must complete an ROC, the work in the documenting and reporting processes for the SaaS ecommerce option regardless of the PCI DSS compliance level is less costly and risky than the other two options.

What Happens if you Fail PCI Compliance?

Credit card brands may levy fines of $5,000 to $100,000 per month against the acquiring banks of businesses with PCI compliance issues that violate standards. In response to breaches and violations, these banks often pass this cost along to the merchant and can increase fees for transactions or terminate contracts.

Aside from financial liability, there are also other possible costs to the PCI non-compliant business. Failure to comply with PCI DSS standards and the data breaches that occur could as a result can cause:

  • Need to reissue new payment cards
  • Reduced sales
  • Losses from fraud
  • Fines and penalties
  • Going out of business
  • Higher costs of compliance in the future
  • Inability to accept payment cards
  • Legal costs, judgments, and settlements
  • Lost customer confidence
  • Lost jobs

How Much Does it Cost to Become PCI Compliant?

The fees to achieve and maintain PCI compliance range from approximately $1,000 to more than $50,000 annually, depending on the business size and the required compliance level.

There are four PCI DSS levels, and PCI compliance fees range by level:

PCI Level 1 Compliance: $50,000 or more annually

PCI 1 compliance costs include the fees of a Qualified Security Assessor (QSA) to prepare an annual Report on Compliance (ROC), an Attestation of Compliance (AOC), and a network scan. The scan must be completed by an ASV.

PCI Level 2 Compliance: $10,000 a year and up

PCI DSS costs at this level include regular ASV scans and increases based on the number of IP addresses and size of your computer network, in addition to the cost of completing the annual AOC and SAQ.

PCI Level 3 Compliance: $1,200 a year and up

Costs are as in Level 2, but of course lower.

PCI Level 4 Compliance: $60 to $75 per month and up

Costs include a regular website or network scan from an ASV, and the cost of completing the SAQ and AOC.

What is a PCI DSS Non-Compliance Charge?

You could be at risk for brand damage, card replacement costs, data breaches, costly forensic audits, and fines if your business does not comply with PCI compliance steps. Typically, at a minimum, there are fees associated with PCI non-compliance.

At their discretion, payment brands may levy monthly fines of $5,000 to $100,000 for PCI compliance violations against an acquiring bank. The costs from these fines are typically passed on to the merchant by the banks, who may also increase transaction fees or terminate the relationship. Be familiar with your merchant account agreement, which details the company’s exposure, because penalties can be catastrophic to a small business although they are not widely publicized.

What are the Levels of PCI Compliance?

As discussed above, there are four PCI compliance levels. Each level has unique compliance requirements, and the level a business falls under is based on total annual credit or debit card transaction volume.

In terms of PCI DSS requirements, Level 1 is the strictest, while Level 4 is the least stringent. Although almost all small- and medium-sized businesses (SMBs) are lower Level 3 or Level 4 merchants, they must maintain compliance with the same diligence as larger enterprises.

Level 1 merchants process over 6 million card transactions per year. Level 2 merchants process 1 to 6 million transactions per year. Level 3 merchants process 20,000 to 1 million transactions per year. And Level 4 merchants process fewer than 20,000 transactions per year.

Do I need SOC 2 compliance in addition to PCI?

Any technology-based, engaged service organization that stores client information in the cloud must follow SOC 2 requirements. That includes businesses that use the cloud to store client information while providing SaaS and other cloud services. See our complete guide to SOC 2 compliance for more information.

Does Shujinko Offer a PCI Compliance Software Solution?

Shujinko’s AuditX product automates and simplifies PCI DSS audit preparation, evidence collection, and readiness. Customers can achieve compliance 3x faster, saving thousands of people hours and dollars, and freeing up scarce engineering resources to focus on critical business priorities.

AuditX is designed to be a complement to any PCI compliance software and other PCI compliance solutions enterprises are already using.

AuditX enables a cloud-first enterprise to automate, simplify, and modernize audit preparation for PCI compliance, and master upcoming audit deadlines across multiple standards and cloud compliance initiatives. This automated solution allows enterprises to eliminate unclear evidence requests, chains of back and forth emails, and shared spreadsheets behind. Learn more at https://www.shujinko.io.

Automate Audit Preparation

Get ahead of your upcoming audit deadlines and compliance initiatives. Ditch the shared spreadsheets, back and forth email, and unclear evidence requests. Start working with Shujinko’s AuditX tool to simplify, automate, and modernize audit preparation for your cloud-first enterprise.