The breach or theft of cardholder data affects all parties involved. Customers immediately lose trust in merchants or financial institutions, and their personal credit can be negatively affected. Merchants and financial institutions lose credibility and in turn, customers – and they may also subject to numerous financial liabilities. In order to protect merchants and their customers, a higher order of security is essential. Enter: PCI DSS Compliance.
1. What is PCI DSS Compliance?
Because of the enormity of the cybercrime threat, the major credit card schemes (Visa, MasterCard, American Express, Discover and JCB) jointly established the Payment Card Industry Security Standards Council (PCI SSC) in 2006 as an independent global body with the goal of improving payment security. They developed the Payment Card Industry Data Security Standard (PCI DSS), which is the list of requirements that merchants must uphold in order to accept payments. It was designed so all merchants that process, store or transfer credit card information do so in a secure way.
You can view a copy of the most recent version of the PCI DSS, here.
Just to clarify, it is the responsibility of the payment brands, the payment service providers and acquiring banks to enforce PCI DSS compliance – not the PCI SSC.
The security benefits associated with maintaining PCI DSS compliance are vital to the long-term success of all merchants who accept online payments.
2. What are the PCI compliance levels?
Everyone who accepts credit cards, or even mobile payments, must be compliant with PCI DSS. The process of validating a company’s compliance varies widely, depending on the type and size of business.
Merchants fall into one of four levels, as we briefly discussed in this blog post, and can determine which level they fall under based on the following:
- More than 6,000,000 Visa or MasterCard transactions per year
- More than 2,500,000 American Express transactions per year
- Any MasterCard merchant who had account data compromised in the previous year
- Any entity that handles credit card data and/or provides card processing services on behalf of other merchants
- 1,000,000 to 6,000,000 Visa or MasterCard transactions per year
- 50,000 and 2,500,000 American Express transactions per year
- 20,000 to 1,000,000 Visa or MasterCard transactions per year
- 50,000 American Express transactions per year
- Fewer than 20,000 Visa or MasterCard transactions per year (Note: American Express does not use level 4.)
If you’re Level 1 or 2, then you need to hire an auditor to verify your PCI DSS compliance.
At Level 3 or 4, you don’t need an auditor, but you must answer one of five Self-Assessment Questionnaires (SAQs) instituted from May 2015 to help you figure out if you’re PCI DSS compliant. See here for more details.
3. What are the penalties for failing to comply?
Any merchant that receives even one credit card payment per year must be PCI DSS complaint. If a business does not meet the PCI standards for compliance and the security and their site gets compromised, they will be facing penalties and fines ranging from $5,000 to $500,000. This, however, is just the beginning of the overall damage caused by noncompliance.
While penalties are not openly discussed nor widely publicized, they can be catastrophic to a small business.
Merchants run the risk of losing their merchant account, which means they won’t be able to accept credit card payments at all. Merchants will also be placed in the Visa/MasterCard “Terminated Merchant File” (TMF), making them ineligible to obtain another merchant account, at least for several years. The TMF, is essentially a Blacklist from which it is almost impossible to be removed.
When a merchant is added to the TMF, their name, business name, business address, and home address are all noted. This means merchants can’t just apply for a new account under the name of another family member or business partner because it will be seen as the same business and location.
Getting tagged like this is just about the worst thing that can happen to any merchant.
4. What if my payment processor is PCI certified?
Outsourcing payment processing does not automatically make a merchant compliant, unless the merchant uses the hosted payment page of the payment processor and does not come into any contact with credit card information, whatsoever. Businesses must protect cardholder data when received, as well as process chargebacks and refunds.
3G Direct Pay Group has recently become the very first Pan-African payment service provider to become PCI DSS Level 1 certified, servicing East and Southern African countries including Tanzania, Zanzibar, Rwanda, Uganda, Zambia, and Kenya. As I commented in a recent press release regarding this news, “Every merchant should verify that their payment service provider and their payment gateway are PCI DSS compliant - and if not, they should ask when they plan to become so. It is a very demanding process, that takes at least 18 months to complete."
Merchants must ensure that providers’ applications and card payment terminals comply with respective PCI DSS requirements, and should request a certificate of compliance annually from providers.
Complying with the PCI DSS can be daunting and challenging, but ultimately it is crucial for security of your customers and, thus, the success of your business. So, don’t be afraid of it – embrace it with open arms, just like you do with other aspects of your business. Now that you have the answers to these most common questions, you are prepared to take the next steps towards PCI DSS compliance for your company.