Products
▸
PCI DSS and PCI Certification: All You Need to Know
PCI DSS compliance is a global standard. It is not required by legislation, but all countries have more or less similar regulations regarding cardholder data. If companies are not compliant with the PCI standard, this usually leads to hefty fines. Let us find out more.
What is PCI DSS Compliance?
The PCI-DSS (Payment Card Industry Security Standard) is a security standard for credit card data binding for all institutions that process cardholder data or store credit card data. This PCI data security standard was developed by American Express, Mastercard, Visa Inc., JCB International and Discover Financial Services to curb fraud in credit card payments on the Internet. The goal of PCI DSS is to protect online merchants and end users from fraudulent attacks, card misuse and theft.
All companies that process cardholder data must comply with PCI DSS and obtain PCI certification. PCI compliance validation and certification is performed by a Qualified Security Assessor (QSA), an Internal Security Assessor (ISA) or a Self-Assessment Questionnaire (SAQ). The latter applies to those companies that process data of this type only in small quantities.
Why is PCI DSS important?
Complying with PCI DSS means taking appropriate steps to protect the PCI data from cyber theft and fraudulent use. Compliance or non-compliance with PCI security standard has implications for your business and, more importantly, for your customers. The consequences of even one successful cyber-attack are major and might include loss of revenue, customers, reputation and trust. With this in mind, it is more important than ever to take responsibility for this customer data and ensure it is adequately protected according to the PCI data security standards.
Security breaches are to be avoided by adhering to this PCI standard. This is not only a recommended organizational structure for handling sensitive cardholder data within the company concerned, but also a technical specification. The basic requirement for this PCI security standard is that it is taken into account by all parties involved in the credit card transaction.
Criteria for PCI certification
In order to assess when PCI certification is required, one should know which parties might be involved in a credit card transaction. In addition to the credit card holder (i.e., the customer), these include the online merchant, the acquirer (i.e., the bank that settles credit cards for the online merchant), and the payment service provider (the payment processor). In addition, the payment module or plug-in in the store software, the store software itself and the interface to the payment service provider or bank are involved. PCI certification is always required if a locally executed and self-developed checkout form is used. However, even if the additional software for payment processing used by the online store accepts the credit card data on its own server, PCI certification is inevitable - e.g. Visa or Mastercard PCI compliance. The same applies if a store operator stores cardholder data in its own systems.
What do I need to do to become PCI DSS compliant?
Companies that want to become PCI DSS compliant and get PCI certification must first understand how payment data is collected, stored and organized. Many companies use a fully hosted solution to do this. PCI compliance is measured by the merchant or service provider by auditing the environment in question against the PCI standard. Within IT Governance, the PCI data security standard requires merchants and managed service providers (MSP's) involved in the storage, processing or transmission of cardholder data to:
The individual requirements are further broken down into 12 conditions that each merchant or MSP must meet to be PCI compliant.
What does PCI DSS mean for my company specifically?
The terms of PCI DSS compliance are in line with general cybersecurity best practices. If you are not yet sufficiently familiar with the EU General Data Protection Regulation, you should know that it contains many of these best practice guidelines. Regardless of the size of your business, you should protect your network and infrastructure as comprehensively as possible. In addition, to be compliant with PCI DSS, you should secure your corporate digital assets and data.
How online merchants can circumvent PCI certification
Small store operators in particular often ask themselves whether they actually have to deal with PCI certification or whether this should not be done by the payment provider. The prerequisite for this, however, is that no cardholder data or peripheral data, such as the three-digit security code of the credit card, is processed or stored at any point in the merchant's own system. Only then can the online merchant avoid the obligation to obtain PCI certification. In concrete terms, this means only using plug-ins provided by the payment provider or acquirer. Online merchants should also make sure that the PCI data is not received in the plug-ins, but is transferred directly from the end customer's browser to the payment provider's system. In addition, no PCI data or credit card data of any kind may be stored internally. This also applies to direct or telephone sales. If the relevant data is required for manual transactions, it is advisable to print it out and keep it – and only until the retention period expires.
Online merchants can also bypass PCI certification by handing over the entire payment process to a payment processor that does have PCI-DSS certification. If none of these criteria are met, i.e. the online merchant manages cardholder data itself or stores credit card data, PCI certification is unavoidable. The costs for an annual PCI certification to Level 4 (lowest level) are in the three-digit range if the company in question does not carry out more than 20,000 credit card transactions per year. Higher-level PCI certification up to Level 1 is significantly more expensive. The guidelines on which PCI certification is based are reviewed and renewed every year.
Consequences of not having PCI certification
Failure of online merchants to obtain PCI certification, even though they process or store PCI and cardholder data, can have far-reaching consequences. As a rule, PCI non-compliance will result in penalties from the acquirer. In addition, however, there is a risk that online merchants without PCI certification will lose their permission to accept credit card payments. As a result, the online merchants non-compliant with PCI DSS will never again be able to accept card payments, as no other acquirer is likely to sign an acceptance agreement. The choice will then be limited to payment processors that allow acceptance of a credit card payment even without an acquiring contract. However, this measure is more likely to be the exception. If the merchant systems have been broken into and no PCI certification was available, the requirement is usually imposed that the merchant in question must undergo PCI Level 1 certification. The costs incurred for this certification can amount to several thousand euros and are due anew every year, as the merchant's own systems must be checked at regular intervals from this moment on.