The payments sector is constantly evolving, and while companies must adjust to the latest in developments to stay competitive, it is imperative that any company accepting credit cards and debit cards protect sensitive cardholder data.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies process and store credit card information in a secure environment. The cost of PCI non-compliance can lead to fines ranging from $5,000 to $10,000 per month — or more if you get penalized with increased transaction fees.
Why such hefty penalties and fees? Adhering to the PCI DSS is critical to both businesses and consumers as the number of fraud reports continues to grow. In 2021, consumers lost $321 million due to credit and debit card fraud. Establishing PCI compliance is not only good for your customers’ data but can also protect businesses from losing millions of dollars in income from security breaches. With the global average cost of a data breach reaching $4.24 million in 2021, it is paramount that organizations are compliant.
In this guide, we’ll walk you through, and demystify, the process of PCI compliance.
What Is PCI Compliance?
In the early stages of credit card usage, each major card brand (Visa, Mastercard, Discover and American Express) developed their own systems for protection against fraud. But these card brands later united to create a unanimous, industry-wide standard for fraud protection, which we now know as PCI DSS — managed by the PCI Security Standards Council (PCI SSC).
There are four levels of PCI compliance
Determined by the number of transactions processed annually, a business will be assigned to one of the following levels:
Level 1
Upwards of 6 million annual transactions or a business that has experienced a data breach.
Level 2
Between 1 and 6 million annual transactions.
Level 3
Between 20,000 and 1 million annual internet transactions.
Level 4
Less than 20,000 annual internet transactions or less than 1 million annual physical card transactions.
If your business falls in the Level 1 category, you’ll be required to have an annual internal audit and quarterly PCI scan conducted by an approved third-party vendor. Businesses categorized as levels 2 through 4 must do a yearly self-assessment using a designated questionnaire. They may also be required to do a quarterly PCI scan.
Your business, regardless of size, can establish PCI compliance by meeting and maintaining 12 basic requirements — here’s how.
How to Achieve PCI Compliance (Version 3.2.1)
Step 1: Build, Maintain, and Monitor a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Avoid using vendor-supplied defaults for system passwords and other security parameters.
Step 2: Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across public networks.
Step 3: Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Step 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Step 5: Regularly Monitor and Test Network
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Step 6: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
Not All Encryption Solutions are Created Equal
As PCI DSS requirements state, companies must encrypt all cardholder data transmissions across public networks. There are many payment encryption products on the market but only those solutions validated by the PCI SSC have met rigorous standards for encryption, decryption, key management and chain of custody.
While these requirements may seem overwhelming, merchants can implement a PCI-validated Point-to-Point Encryption (P2PE) solution, making the entire process of certifying PCI compliance much more manageable.
As the first PCI-validated provider of a P2PE solution in 2014, Bluefin’s PCI-validated P2PE solutions immediately encrypt data upon tap, dip, swipe, or key entry in a P2PE certified device, with encryption being done outside of the merchant environment by Bluefin. Bluefin also offers the only 100% online portal for chain of custody management, the P2PE Manager®. Learn more about PCI-validated P2PE in our FAQ section.
Specializing in PCI Compliance and Payment Security
Bluefin’s payment processing products are backed by the highest level of encryption with PCI-validated P2PE and tokenization with our ShieldConex® data security platform. But every merchant that signs with Bluefin has access to our full PCI compliance program through our partner, SecureTrust™, for annual scans, attestations and more.
Maintaining PCI compliance is important for your company and your clients. Contact us today to learn how we can help your organization.