Consumer centrism in businesses has led to new and more efficient payment function developments. Customers enjoy a lot of perks and the ease of handling funds due to the advancements in fintech. Most of these advancements are based on cashless and, recently, contactless payments. Even though these are seen as a blessing at the end of the consumers, they can bring about their complications. The most significant difficulty that arises is the security of cardholder data. To achieve the maximum security protocols, card associations have come up with standards that have to be maintained. These standards, when maintained, are known as PCI compliance. Here are the most common questions that arise concerning PCI compliance;
Table of Contents
What is PCI Compliance?
When a cardholder swipes their card or dips it, their card’s information is electronically transferred to the merchant’s POS terminal. This information remains with the merchant, and they have to keep it safe. In order to provide essential security to the cardholder’s data, the payment card industry defined a standard of data security, abbreviated as the PCI DSS. These standards define how the cardholder data is stored, processed, and accepted. The security standards council in charge of defining the requirements was made on 7th September 2006. Improving the maintenance of security of the transactions involving card information is the council’s top priority, and the conditions have been updated accordingly. The SSC that governs PCI policies was formed by the major card associations, such as Visa, Mastercard, Discovery, etc.
Who does PCI DSS apply to?
Businesses that store, process, or transmit cardholder information need to be PCI compliant.
What are the Penalties of Non-compliance?
The penalties that the involved parties may face for non-compliance are entirely at the credit card associations’ discretion. Card associations can charge from $5000 to $100,000 to the acquiring bank, or in other terms, the merchant account provider. The fine is usually passed onto the merchant. Also, following the fine, the MSP can increase your transaction costs or may terminate your contract with them altogether. Facing a fine for non-compliance for small businesses can be disastrous. Therefore, knowing how vulnerable you are to PCI regulations based on your MSP contract is necessary. Most MSPs help maintain PCI compliance for merchants, and it’s best to sign up with such a provider.
What are the Levels of PCI Compliance?
Based on the volume of Visa transactions and merchant processes in 12-months, four categories of PCI compliance levels are defined. The transaction volume is based on all the credit, debit, or prepaid transactions that the merchant does through their DBA. Suppose a merchant has more than one DBA. In that case, the Visa acquirers have to aggregate the volume of all the transactions involving the whole entity to determine the level of PCI compliance needed. In case the data is not aggregated at the entity level, card associations will assign all individual DBA’s levels of PCI compliance based on their transaction volume. Visa has the authority to elevate the level of any merchant they feel needs to maintain a higher safety protocol. The defined merchant levels are;
- Level 1: Merchants that process more than six million dollars every year, through any channel of processing, fall into this category. Other than that, any merchant decaled by Visa to meet these standards also has to maintain level 1 of PCI compliance.
- Level 2: Merchants falling in the transaction volume range of $1 million to $6 million per year, irrespective of transaction channel, need to meet this requirement level.
- Level 3: Merchants who have a yearly transaction volume from $20000 to $1 million through e-commerce need to maintain level 3 of PCI compliance.
- Level 4: All merchants that process fewer than $20000 in e-commerce and $1 million through any channel in a year must maintain this level of PCI compliance.
What is a Payment Gateway?
Payment gateways act as connectors between the merchant and the acquiring bank. These gateways take inputs from multiple applications and transfer those to the associated banks. These gateways communicate with the banks through the internet, a dial-up connection, or private-leased lines.
What are the requirements of PCI Compliance?
There are a few basic steps that are necessary for PCI compliance. However, based on the type of business a merchant has, there can be other defined steps. The four basic requirements for any business maintaining PCI compliance are;
- Determine the type of PCI validation (or level).
- Based on the Self-Assessment Questionnaire, ensure all the requirements such as penetration scans, employee training, and external vulnerability scans.
- Businesses should maintain annual attestation of compliance.
- Through an Approved Scanning Vendor, complete and report all scans’ quarterly results.
Does Law mandate PCI Compliance?
Other than in a few states, such as Nevada, Washington, or Minnesota, the government does not regulate PCI compliance. But once a merchant decides to process payments through credit or other alternatives involving cardholder data, the merchant agrees to follow the card brand’s rules. Brands such as Visa, Mastercard, Discover, American Express, and JCB mandate PCI compliance for transaction safety.
Also Read: A Guide To Making Better Business Decisions
What is a Vulnerability Scan?
A payment system needs to be secure against hacking and data leak threats. An automated tool is used to detect the payment provider’s system for any possible vulnerability. This scan is non-intrusive and is based on the web applications and networks involved in the payment system. It is a small tool that does not need the merchant to install anything on their system. This exposes any weak spots that hackers might use to get customers’ information or leak data. There are specifically approved scanning vendors that are accepted for PCI compliance.
What are the Risks of Non-compliance?
As previously stated, in most cities, PCI compliance is not mandated by law. But not complying with PCI can lead to many liabilities such as fines, card replacement costs, audits, and damage to brand reputation in case of a breach. There can be a series of costly and unpleasant consequences resulting from a bit of carelessness. Furthermore, you may be liable to pay more to your payment processor due to the lack of compliance.