While visiting numerous websites and apps every day, we often come across visuals that emphasize payment security. But what does that really mean for business owners and customers?
As customers, we create online profiles and user accounts to experience the ease and convenience of making online payments. Whether it is recurring monthly shopping or once-in-a-while purchases, online payments have made our lives easier. In between all these transactions, an exchange of sensitive information like card details occurs, a breach of which can cause significant financial losses to both businesses and customers.
You might have heard of incidents in which financial institutions contact individuals to inform them that their card details have been compromised. Loss of such information is the growing cause of frustration amongst both businesses and consumers. As per stats, the state of Maharashtra witnessed the highest number of credit/debit card frauds in 2019.
If you are an online business owner, how can you ensure the customers that their card information will be safe with you?
It is where PCI DSS plays a vital role, and all companies that accept, store, process, or transmit card information must comply with it.
What is PCI DSS?
PCI DSS or Payment Card Industry Data Security Standard is a set of security standards that aims to ensure secure card and online payment transactions and protection against fraud/data theft.
It all started in the 1990s when Visa – the financial services corporation, first established its own security standard – Cardholder Information Security Program (CISP) to combat monumental fraud levels. Similarly, other companies like MasterCard and AmericanExpress implemented their own security standards but received limited success.
In 2006, the Payment Card Industry Security Standards Council (PCI SSC) was created by an alliance of credit payment agencies. The council came up with a well-defined set of payment standards that must be fulfilled by any merchant to process, store, and transmit cardholders data. These standards later became widely known as PCI DSS. It helps businesses in evaluating the potential exposure to losses while dealing with cardholders data.
More about PCI DSS certification
PCI DSS certification covers best practices to ensure the security of card data at the business end, including the following:
- Firewalls installation
- Data encryption during transmission
- Antivirus software deployment, and more
PCI-compliant service providers also need to restrict access to the cardholders’ data and network resources. With PCI compliance, you can assure the customers about the safety of payment transactions with your business.
Conversely, a data breach causing loss of sensitive financial data results in severe repercussions for a business, including fines charged by card issuers, lawsuits, damaged reputation, and reduced sales. Hence, it is advisable to invest in PCI-DSS compliant payment gateways to ensure complete security of payment transactions happening for your online business.
What are the 12 key PCI DSS compliance requirements?
PCI compliance standards require online businesses to handle financial data securely, which will ultimately reduce the risk of loss of such data. Not abiding by these standards may result in hacking of card information and fraudulent actions like identity fraud.
PCI DSS has 12 key requirements, which are:
- Installation of firewalls for data protection
- Secure password protection (selection of passwords other than the ones supplied by vendors/intermediaries)
- Protection of cardholder data
- Encryption of cardholder data when transmitted across public networks
- Use of antivirus software with regular updates
- Maintenance and updates of security systems
- Restricted access to the cardholder data (need-to-know basis)
- Assignment of unique IDs to those having access to the data
- Restricted physical access to the cardholder data
- Regular tracking/monitoring of access to the network resources and cardholder data
- Regular testing of security systems
- Documentation and maintenance of information security policy
Besides this, PCI DSS also has 78 base requirements and more than 400 test procedures. The most recent version of PCI DSS is version 3.2.1 which was released in 2018.
How does PCI compliance work?
PCI DSS compliance is a checklist of the best practices and processes that any company handling cardholder data must follow. Compliance with PCI DSS is not just a certification but a continuous process involving:
- Identification of assets and processes that handle cardholder data to analyze vulnerabilities
- Remediation and repair of vulnerabilities for data security
- Documentation and reporting of assessment and remediation performed to fix the vulnerabilities
The compliance processes and steps may differ for different companies, but the core principles remain the same.
What are PCI DSS compliance levels?
There are four levels of PCI DSS compliance based on the number of card transactions a company processes in a year. In other words, every organization that handles cardholder data falls into any of these levels. It has to follow the compliance processes based on the level it falls into.
- Level 1 – applicable to businesses processing more than six million card transactions in a year
- Level 2 – for businesses handling one to six million transactions annually
- Level 3 – for merchants processing 20,000 to a million transactions per year
- Level 4 – for merchants handling less than 20,000 transactions in a year
What happens if you do not comply with PCI standards?
Although PCI DSS is not regulated by any government authority, it does take punitive actions if your business fails to comply with the standards. PCI compliance failure primarily results in monetary fines, which include the cost of legal assistance, banking fines, cost of federal audits and investigations.
The financial implications of not complying with the PCI DSS are a strong deterrent for businesses. However, there are other long-term consequences, such as lack of trust from customers and banking institutions.
Why is PCI Compliance important for online businesses?
PCI DSS compliance is mandatory for almost every business that accepts payments through cards digitally. The financial information entered by the customers is highly sensitive data and requires protection. Regular assessment and maintenance of any vulnerability or gap in data security help in avoiding the loss of sensitive cardholder information.
Regular audits and monitoring as per PCI DSS is an important part of maintaining data security for online businesses.
What are the benefits of PCI DSS compliance?
- Lowered risk of data breaches
- Safety of cardholder data
- Reduced risk of identity theft
- Brand reputation buildup
- Customers loyalty
A step-by-step guide to becoming PCI DSS compliant
Step 1: Know your PCI level and requirements based on the volume of card transactions processed for your business in a year.
Step 2: Map the comprehensive flow of the network connections, applications, and systems that handle cardholder data.
Step 3: Check the security protocols and configurations as per 12 security requirements detailed above.
Step 4: Complete the right type of Self-Assessment Questionnaire (SAQ) which is applicable to your business.
Step 5: Maintain a secure network to protect cardholder information.
Step 6: Fill out the Attestation of Compliance to confirm the results of PCI DSS assessment.
Get PCI DSS Compliance with Paytm Payment Gateway
PCI DSS compliance is essential for every business that handles cardholder data. Wondering if you need to abide by the compliance requirements separately? Paytm Payment Gateway can make things easier and simpler for you. Being a PCI DSS Level 1 compliant, Paytm Payment Gateway is the preferred choice amongst SMBs in India.
With our JS checkout, and App invoke SDK, the PCI compliance liability falls on us. It is because the payment details are captured/processed on a Paytm-hosted page. However, we recommend that you fill up an SAQ to abide by the compliance guidelines.
You can use our e-commerce hosted platforms like Shopify, Zoho, Zepo, to name a few to enjoy the compliance benefits of our payment gateway. For more details, click here.
However, you also need to abide by the PCI compliance terms separately in case you choose payment gateway integration using our Custom Checkout or Custom UI SDK.
FAQs related to PCI DSS
As per the PCI Compliance Guide, here are some of the most frequently asked questions related to PCI:
Who is liable to abide by the PCI DSS terms?
These security standards are applicable to every organization that accepts, stores, or transmit cardholder’s data, irrespective of the number of transactions in a year or the organization size.
How are PCI compliance levels determined?
A company falls into one of the four PCI compliance levels based on the transaction volume handled by the business in a 12-month period.
Does PCI DSS apply to those companies that accept credit cards over the phone?
Yes. Every business that keeps, processes, or transmits cardholder data must be PCI compliant.
Can I exclude PCI DSS compliance for my business by using third-party processors?
Involving a third-party vendor for payment processing reduces the risk exposure and compliance validation efforts for a business. However, it does not imply that PCI DSS can be ignored.
Do debit card transactions also fall under the scope of PCI?
In-scope cards for PCI compliance include credit, debit, and prepaid cards issued by any of the five card associations – MasterCard, VISA International, American Express, JCB, and Discover.
Should my business require PCI compliance if I have an SSL certificate?
A business does not become PCI compliant by just having an SSL certificate. It is because such certifications do not secure a server from unauthorized intrusions or malicious attacks completely.
How is a vulnerability scan related to PCI compliance?
A vulnerability scan refers to the process of checking a merchant’s systems for any vulnerability using an automated tool. It reviews networks and applications remotely based on the external-facing IP addresses.