If your business accepts credit card transactions, then you should be familiar with the Payment Card Industry Data Security Standard (PCI DSS). The rules (usually abbreviated as PCI) are a set of guidelines that seek to govern how businesses safeguard sensitive credit card information, with the goal of minimizing data breaches and fraud. Many merchants know PCI only as a mysterious surcharge from their credit card processor. But PCI compliance can become a serious and costly issue, especially if your bank unexpectedly demands that you prove compliance.
Here, we’ve created a straightforward guide that cuts through both legalese and technical jargon in order to explain what PCI is and how to determine your compliance obligations.
PCI Definition and Key Concepts
Underneath the acronyms, PCI is actually very simple: a set of rules established by credit card companies to ensure that merchants are keeping their sensitive data secure.
PCI was established in 2006 by Visa, Mastercard, Discover, American Express, and JCB, and it’s been updated periodically since then. The specific standards are written by a council created by the payment companies: the Payment Card Industry Security Standards Council (PCI SSC). However, the rules aren’t enforced by the council but by the card companies and acquiring banks.
Compliance and noncompliance fees
It’s important to emphasize that PCI is not a law. However, given the clout of the five major card brands, as well as the credit card processors and acquiring banks, PCI is functionally mandatory. Credit card companies can issue fines for acquiring banks for noncompliance. Banks, in turn, will charge merchants a PCI non-compliance fee and can even stop working with a business altogether.
Conversely, most credit card processors/merchant service providers also charge a monthly or annual PCI compliance fee. Many providers that charge this fee include services to make sure your business is PCI-compliant. However, some just tack on the surcharge without giving you anything in return.
All PCI rules relate back to a central goal: to encourage merchants to store as little credit card information as possible, so they are less vulnerable to data breaches and fraud. Meanwhile, PCI also helps craft guidelines for the service providers that handle cardholder data, minimize their exposure.
PCI helps to minimize risk by imposing lighter standards on merchants who do a few key things:
- Outsource credit card processing and data storage to trusted service providers.
- Regularly audit and update their security measures, such as encryption, password changes, etc.
- Keep internal systems as simple as possible. In the case of brick-and-mortar merchants, for instance, they point to Wi-Fi, in-store cameras, and physical terminals as threat vectors that hackers can use to steal data.
PCI key terms
PCI DSS defines a merchant as “any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC.” So while the term “merchant” can evoke a traditional idea of retailers, the term here is much broader. It’s also important to note that debit cards, if they bear the logo of the major brands, also fall under the rules.
Meanwhile, PCI defines a service provider as an entity that is “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.” So if a merchant uses Stripe or PayPal to handle e-commerce payments, those are service providers, but the category can also include your website hosting provider, your identity and access management (IAM) platform, and any other service that touches this data. Unsurprisingly, service providers can also be merchants since they too accept cardholder data as payment.
So what kind of data are we talking about? Cardholder data under PCI includes the card number, which PCI calls the “primary account number (PAN).” It can also mean the PAN, as well as the cardholder’s name, the card’s expiration date, or the security code.
Does PCI DSS Apply to My Business?
The short answer is yes! If your business accepts card payments—whether in person, online or over the phone—PCI applies to you. However, your obligations under PCI vary dramatically depending on what type of business you have and how you handle payments.
The best way to determine your business’s obligations is to take the self-assessment on PCI’s website. But there are multiple self-assessment questionnaires, so you need to determine which one best applies to your business. You can do that using this PCI-provided table. Figure out which designation describes how you process credit card payments, and then take the appropriate questionnaire.
You might notice that the vast majority of the merchant types above describe businesses that don’t store credit card information themselves. That’s in keeping with PCI’s overall preference for merchants outsourcing this storage to third-party professionals. Merchants who do choose to store credit card data themselves—for example, for the purpose of processing recurring payments—have among the highest compliance standards. Those merchants may be obligated to hire a qualified security assessor (QSA) to conduct an onsite audit to ensure a merchant meets their PCI DSS requirements.
Your PCI obligation also varies by level, based chiefly on your card transaction volume. Every business is assigned a PCI compliance level from 1-4, with level 1 having the highest standards. Unfortunately, these levels aren’t exactly straightforward, and, technically, each cardholder brand has its own set of levels. However, the Visa and Mastercard levels are generally considered standard, so they’re the ones we include here:
- PCI compliance level 4: For e-commerce: fewer than 20,000 annual Visa/Mastercard transactions. For all merchants: fewer than 1 million annual Visa/Mastercard transactions.
- PCI compliance level 3: This level applies only to merchants that process 20,000 to 1 million annual e-commerce transactions per year.
- PCI compliance level 2: All merchants who annually process between 1 million to 6 million Visa/Mastercard transactions, regardless of channel.
- PCI compliance level 1: Any merchant annually processing more than 6,000,000 Visa/Mastercard transactions via any channel. In addition, any merchant that has experienced a security breach that exposed cardholder information is automatically moved to level 1.
PCI DSS Compliance Guidelines
Regardless of your merchant level or how you accept payments, there are some basic housekeeping steps you should take to keep up on your PCI compliance:
- Conduct a quarterly vulnerability scan of your systems using a PCI-approved party. This scan is an automated process that probes your systems to identity potential entryways for attackers. If you’re currently paying a PCI compliance fee to your merchant service provider, this is one of the services they should offer you.
- Conduct an audit of your current credit card processes. This doesn’t just mean the processing itself, but every touchpoint for that data, including both digital and physical access. If you’re not sure where to start, take a look at PCI’s documentation, which points out some common data security pitfalls. For example, if you’re a brick-and-mortar retailer, make sure you don’t have internet-connected security cameras pointed at your point-of-sale system. If you’re an e-commerce merchant and you process payments yourself, make sure internal access to payment pages is rigorously controlled. The basic rule of thumb in a self-audit is that if there isn’t a strong business need for keeping cardholder data in-house, don’t do it. Such data makes you vulnerable to attackers, increases the likelihood that you’ll be found PCI-noncompliant, and puts you at risk of non-compliance with global data privacy laws.
- Keep your security up to date. At a minimum, that means regularly updating system passwords, installing patches to all software (especially antivirus software), and updates on your payment terminals. These are simple fixes that can prevent a lot of attacks.
- Use responsible vendors and service providers for payments. PCI SSC provides this list of questions to ask vendors to ensure you’re working with partners who are themselves in compliance and who can support you in maintaining compliance.
- Control internal access to data. As the PCI SSC’s guide for small merchants states, “Access control is all important.” Implement strong access-control measures to ensure that employees can only access the amount of cardholder data they need to do their jobs.
You need an IAM system that issues a unique ID to anyone who can access this information, so you can trace any breach to the source. If you have one “admin” login for an entire store, and every employee can use it, you’re in serious need of an IAM update.
Like your payment platform and firewall provider, your IAM partner needs to be PCI compliant. For example, in 2019, Auth0 became among the first identity providers to achieve Level 1 compliance.
Getting PCI-Compliant Is a Smart Business
Many small-business owners simply aren’t accustomed to thinking about their information security policy. Unfortunately, no merchant is too big or too small for hackers, and credit card data is some of the most valuable and sensitive information in existence. So while no one really wants to think about PCI DSS compliance, it might be just the nudge you need to update your information security policy and implement tighter security controls.
For more information on how an IAM partner can be a part of your data protection strategy, please reach out to the professionals at Auth0.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.