PCI DSS compliance requires companies that process, store, or transmit payment card data to implement various security measures to prevent fraud and limit the vulnerability of cardholder data. The current version of the Payment Card Industry Data Security Standard (PCI DSS), PCI DSS v3.2.1, is scheduled to be replaced by PCI DSS 4.0 in early 2024.
This article provides an overview of PCI DSS compliance and why it’s important for merchants and other companies that handle cardholder data.
In this article:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect sensitive credit card holder information. PCI DSS was established in 2004 by five payment card companies, including Visa, MasterCard, Discover Financial Services, JCB International, and American Express.
In 2006, those same payment card companies established the PCI Security Standards Council (PCI SSC), a governing body that develops and administers the PCI DSS and oversees PCI compliance.
The following 12 requirements are defined in PCI DSS to protect the privacy and security of cardholder data. Companies processing credit card data need to adhere to these requirements to comply with PCI DSS.
There are various PCI DSS compliance solutions that can help organizations comply with different aspects of the requirements.
Annual PCI DSS assessments need to be conducted with compliance evidence provided to third-party auditors. Many organizations also perform internal assessments to identify and proactively address security vulnerabilities.
PCI DSS applies to all organizations that process, store, and transmit credit card data. In the age of ecommerce, virtually every company accepts credit card payments and needs to comply with PCI DSS.
Companies that do not follow the 12 requirements are considered in violation of PCI DSS which can result in fines, penalties, and negative public relations in the wake of a data breach.
Implementing the necessary safeguards to comply with PCI DSS and providing ongoing PCI compliance training to ensure employees follow best practices can be expensive. PCI DSS violations are often accidental or result from oversights by inexperienced personnel employed by a vendor. In some cases, companies may intentionally violate PCI DSS in an attempt to save money or streamline operations.
PCI DSS violations can be costly. Fines can range from $5,000 to $100,000 per month. The monetary value of the fine is based on the company’s size and takes into consideration the scope and duration of the violation.
In addition to fines, companies that experience a data breach resulting from PCI DSS non-compliance may incur costs associated with:
Negative public relations can be even more damaging to a violator than financial penalties.
Individual credit card companies are responsible for levying fines and enforcing compliance with PCI DSS. The penalties for noncompliance are determined by considering multiple factors.
Merchants sign contracts with payment processors in which they agree to pay fines if they violate PCI DSS. Financial penalties are determined based on the size of the violating entity and the volume of cardholder transactions it processes.
Most payment card companies define four merchant levels, except Discover, which defines three. The specific definitions for each level may vary among payment card companies. PCI DSS requirements are more stringent for merchants that process higher volumes of transactions.
As an example, Visa has defined four PCI levels primarily based on the number of transactions an entity processes over 12 months. The levels also consider the method used to perform the transaction.
PCI merchant levels also influence the type of security assessments required to demonstrate compliance.
Failure to uphold any of the 12 PCI DSS requirements results in a violation and potential penalties. The most common PCI DSS violations include:
PCI DSS defines how cardholder data can be used and accessed by an organization’s employees. The Reveal Platform by Next is a cloud-native data loss prevention (DLP) solution that can be instrumental in enforcing PCI compliance throughout the workforce.
Incorporating PCI DSS requirements into a company’s data handling policy allows Reveal to automatically enforce compliance. Reveal provides next-gen endpoint agents powered by machine learning to identify and categorize data at the point of risk. The platform prevents the unauthorized use of cardholder data while providing education and training to employees so they won’t repeat the same mistakes.
PCI DSS compliance is everyone’s responsibility. Reveal increases your employees’ security IQ and helps them understand how they can use protected cardholder data, creating a security-positive culture while minimizing insider risk and maintaining compliance.
Talk to the DLP experts at Next to learn how Reveal can help you comply with PCI DSS, and book a demo to see this valuable DLP tool in action.
What is PCI DSS in simple terms?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to improve the security of transactions involving credit, debit, or cash cards. PCI DSS is designed to protect sensitive cardholder data, protecting cardholders from the breach or theft of their payment card data and misuse of their personal information.
Who must be PCI compliant?
Any business that handles cardholder data in any way must be PCI compliant, including businesses that:
What are the 12 requirements for PCI DSS?
The 12 requirements for PCI DSS include:
What are the 4 PCI DSS compliance levels?
Each credit card processor defines merchant levels that determine what controls the merchant must implement. While the specific classification may vary among payment card processors, most define four merchant levels, with the exception of Discover, which classifies merchants into three levels.
As an example, Visa’s merchant level classification is: