What does PCI stand for in security?
PCI stands for payment card industry. PCI compliance security processes are put in place by businesses to help keep payment card data safe.
What does PCI DSS stand for?
PCI DSS stands for the Payment Card Industry Data Security Standard.
What is covered by PCI compliance?
The PCI compliance definition describes a security standard that covers 12 requirements all businesses must follow if they collect, handle, transmit, and/or store sensitive payment information and cardholder data. These requirements consist of security standards and controls that help businesses prioritize protecting sensitive data, limit the data they store, and maintain a strong security posture to reduce data breaches.
Who is required to be PCI compliant?
Almost anyone who googles “What is PCI compliance?” will be required to comply with PCI DSS requirements. Every employee with any business that handles sensitive cardholder data must maintain PCI compliance to continue accepting credit card payments. This includes merchants of all sizes—including small businesses and entrepreneurs—and third-party vendors like payment processors.
While all businesses are required to meet some PCI security requirements, they are not all expected to meet the same requirements. Businesses must comply with different standards based on their PCI compliance level.
What happens if you are not PCI compliant?
If a company experienced a data breach and is not compliant with the PCI data security standard, that business may receive large fines, fees, and penalties from the credit card companies they work with. These fines are in addition to fines a company may receive from regulating agencies. Non-compliant organizations will also move from their current PCI level to level 1, which will require them to meet substantially more security requirements to accept payments.
Regular noncompliance may cause credit card companies to disable a company’s merchant account. Without a merchant account, a company can no longer accept credit card payments.
How do I know if I'm PCI compliant?
Companies must validate that they are PCI compliant to credit card companies through external audits or by submitting required documentation. Completing the appropriate Self-Assessment Questionnaire (SAQ) based on your company’s size can provide insight into its PCI compliance status. SAQs are available directly from the PCI Security Standards Council, along with other documents to help businesses with understanding PCI compliance.
Another way to track a company’s PCI compliance is through an external audit conducted by a certified Quality Security Assessor, or QSA. These trained auditors review procedures, test controls, and audit security practices to report on PCI compliance. All Level 1 businesses—including high-risk organizations that have previously experienced data breaches that compromised sensitive PCI data—must submit audit results as part of the PCI process.
How often do you need to pass PCI compliance?
Businesses must demonstrate ongoing compliance with PCI standards every year to continue accepting credit card payments. These businesses should submit yearly documentation to the major credit card companies as requested to keep their merchant accounts in good standing. Depending on the size of the company, they may also need to submit quarterly scans to show their vendors remain PCI compliant.
Some companies may not be required to provide this documentation if they do not process enough payments within a year; however, these businesses should still complete a SAQ for their records.
Is PCI compliance required by law?
While there are no federal PCI laws that mandate or enforce PCI compliance, court precedent from past data privacy cases has effectively made PCI compliance required for all businesses. Additionally, some US states have enacted laws that make PCI compliance requirements enforceable by the state government.
While failure to follow a PCI compliance requirements checklist may not result in federal legal action, companies that expose cardholder data often face other regulatory compliance issues that subject them to legal difficulties. Plus, credit card companies can choose to penalize companies that do not comply with PCI standards by revoking their merchant accounts and preventing them from accepting credit card payments.
When do you need to become PCI compliant?
Businesses must show they are working toward full PCI compliance within a year of beginning to accept credit card payments. Merchants wondering “Do I need to be PCI compliant?” can learn everything about how to become PCI compliant from the resources provided by the PCI SSC.
What is PCI data?
PCI data—also known as payment card information data—is sensitive cardholder information including customer names, credit card numbers, addresses, and other personally identifiable information. When PCI information is compromised, customers are at risk for credit card fraud and identity theft.
What is a PCI compliance fee?
Credit card processors often charge merchants yearly PCI compliance fees for supporting PCI requirements. If businesses do not provide processors or credit card companies with the correct paperwork to validate PCI compliance, processors may also charge merchants monthly non-compliance fees.
How are PCI compliance and SOC 2 certification similar?
Both PCI and SOC 2 standards provide companies with recommended operational and compliance controls they should implement to protect sensitive customer data. While SOC 2 certification is optional, many companies that accept credit card payments and must comply with PCI DSS requirements also pursue SOC 2 certification.
Generally, PCI compliance standards are more strict than SOC 2 report requirements. However, creating policies and procedures for SOC 2 certification can help companies on their journey to full PCI compliance.