The PCI Security Standards compliance rules have been around since 2006. Despite more than a decade and a half of payment security protection, there is still confusion and misinformation around the Payment Card Industry Data Security Standard (PCI DSS), especially on the topic of what businesses that deal with cardholder data are required to do.
There are both technical and operational requirements to meet, and it can be a lot to do all at once. But failure to comply may not only damage your company’s ability to accept card payments and lead to fines, it also may lead to a loss in customer confidence and brand reputation if you are breached.
Whether you’re a start-up striving towards complete compliance or a seasoned corporation staying up-to-date on all things PCI DSS, here are five key things you should know about this security standard:
1. It’s not optional
You (and your business) committed to compliance when you signed the contract.
The moment you signed the dotted line of the contract with your bank for a payment gateway, your company made a commitment to uphold specific practices for handling cardholder data. These rules entail actionable security measures to protect your systems, internal networks, stored cardholder data, payment card applications, and more — standards that you are now contractually required to maintain.
Keep in mind that how you meet compliance protocol cascades through the ecosystem of merchants and service providers. The payment card brands you agreed to accept establish a contractual relationship with their members who in turn obligate the banks, merchants, service providers and so on through a chain of contracts all demanding PCI DSS compliance and validation.
Each payment brand maintains and enforces its own data security compliance program, setting its own penalties from non-compliance. But they all impose the same PCI DSS standard.
So what’s the worst that could happen should your business break compliance?
Your merchants and service providers can refuse to process your company’s credit card payments, they can fine you, and if you have a breach, they can require that you go above and beyond basic PCI DSS compliance going forward. Because payment cards are many business’s highest-volume methods for accepting payments, compliance is not optional.
2. Compliance is a status, not an event
Compliance is not a once-and-done task. You must maintain compliance continuously and validate that compliance every year.
Annual PCI DSS validation certifies that your compliance has been verified and declared to your acquirer (often your bank or payment gateway).
While you only need to formally validate your compliance to the once a year, that doesn’t give you a pass to comply for only a set span and then regress for the rest of the year. Validation looks back at your compliance throughout the whole of the prior year.
Your business must uphold compliance all year long — no exceptions. Here is a detailed breakdown of each PCI DSS requirement for reference.
3. You cannot avoid implementing one of the PCI DSS controls by arguing the risk is small for you.
We told you above that there are no exceptions to remaining compliant, and we weren’t lying. Your business must comply with every one of the PCI DSS controls that applies to you — or implement compensating controls that achieve the same intent — in order to store, process, or transmit cardholder data.
You may think that your business deserves exemption from certain requirements because your risk is relatively small, but the standard does not permit arguments about company size or risk when it comes to compliance.
It’s a tough stance, but it’s there for a reason. Simply said, you must meet PCI DSS standards, and there’s no room for debate.
4. It’s not a law — except where it is
“Unlike federal laws, the PCI DSS are not regulations or statutes enforced directly by the government, although some states have incorporated the PCI DSS into plastic card protection state laws,” according to the PCI Council. “Nor does the Council enforce the PCI DSS directly.”
So how exactly is PCI DSS enforced then if not by our government or this specially-appointed council?
As we mentioned in our first point above, individual payment systems establish contractual obligations to comply through PCI contract chains or enter into agreements with payment card processing service providers (should they not choose to take on the burden of storing, processing or transmitting cardholder data themselves).
While some states do not legally enforce PCI DSS compliance, the contract commits your business to PCI DSS standards, and there are consequences for violating the contract. So while you may not run afoul of the law by violating your contract, your business could lose its partnership with PCI DSS.
However, in a few outlier states, PCI DSS standards are incorporated into law. Presently, Nevada, Minnesota, and Washington all have legislation that mentions this security compliance standard, and other states may be following suit.
Minnesota was the first state to enact a law, which prohibits retaining payment card data more than 48 hours after the transaction has been authorized.
Nevada followed shortly after in 2009, requiring merchants to be compliant with current PCI DSS requirements with the added benefit of reduced liability for following such rigorous protocols.
Most recently, Washington incorporated PCI DSS standards into state law in 2010. This law did not require merchants to become PCI DSS compliant, but it shields compliant businesses from liability when they are compliant.
5. The standard (slowly) evolves and changes over time
The PCI DSS standard is dynamic, but it changes at a reasonable pace. While the standard does evolve and change over time, it’s usually over a long period of time with few dramatic shifts. There is rarely, if ever, a time that business owners need to panic because the PCI DSS standards have been updated.
Still, some businesses make the mistake of pushing off compliance because so much time elapses between changes. This is a problem on its own, and it can become a bigger issue if a business misses multiple changes over the course of several years.
Hire a Qualified Security Assessor
While you could perform a self-assessment questionnaire (SAQ) and complete an attestation of compliance (AOC), you likely don’t have a deep PCI specialist on staff who’s equipped to perform these requirements with confidence.
Instead, turn to a trusted qualified security assessor (QSA) — one who can either guide you through or complete the process for you.
Here at Truvantis, our IT security experts are here to make it easy. Learn more about our approach to PCI DSS compliance and contact us to get started today.