Below, you'll find everything you need to know about PCI DSS compliance and how it impacts your business.
First off, what is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a set of standards, rules, and procedures designed to protect consumer data in credit and debit transactions and reduce expensive data breaches. Essentially, it’s a set of rules to maintain payment security.
The leading five Card Brands, Visa, MasterCard, Amex, Discover, and JBC, get really upset if you have credit card numbers scribbled on post-it notes, buried in your text messages, or anywhere they can be found by unintended parties. To help maintain payment security, they established the PCI Security Standards Council (PCI SSC) as a governing and administration entity, and it is responsible for all PCI rules and standards.
How does PCI DSS impact my business?
Boulevard is a PCI DSS-approved Level 1 Service Provider. We manage payment processing for you and take the necessary steps to address certain PCI DSS requirements through our own efforts and by providing guidance to our customers.
However, partnering with a PCI DSS compliant provider does not automatically make you, as a business, compliant with PCI regulations. As a merchant who accepts credit/debit cards, you are still responsible for ensuring that your business is compliant with all current PCI requirements.
But what if I run a solo or small operation?
Compared to larger merchants, smaller merchants typically have simpler environments with limited amounts of cardholder data and fewer systems that need protecting. This reduces your overall PCI compliance efforts, but you still need to comply.
What steps do I need to take to become a PCI DSS compliant business?
Step 1: Follow PCI DSS Standards Requirements
PCI DSS standards cover technical and operational system components included in or connected to cardholder data. Here is a list of current requirements as of May ##, 2021, when this document was written:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
This checklist is updated by PCI Security Council from time to time. Be sure to visit PCI Security Standards Council website to get the most up-to-date checklist for PCI DSS.
Step 2: Satisfy PCI Reporting Requirements
There are four levels of PCI compliance. Each level has unique reporting requirements based on your business’s total annual transaction volume and number of card transactions. You can find your reporting requirements in the table below:
|Level||Applicability||PCI Reporting Requirements|
Any Merchant processing more than 6M transactions per year
Any merchant that has had a data breach or attack that resulted in card data compromise
Any merchant identified as Level 1 Card Brands
Merchants processing 1M - 6M transactions
Merchants processing 20K - 1M eCommerce transactions
All other merchants
A complete list of Approved Qualified Security Assessors (QSAs) can be found here
A complete list of Approved Scan Vendors (ASVs) can be found here.
How much will it cost me to become PCI compliant?
The cost of being PCI compliant depends on the size of your business and transaction volume, so it will vary from business to business.
If your business is not compliant with PCI standards, you could be at the risk of fines and penalties related to data breaches, card replacement costs, forensic audits, and investigations into your business. It could affect brand image and can have other consequences as well, so it’s not something you want to brush under the rug.
Anything else I need to know?
We realize PCI Compliance isn’t the most exciting topic in the world, but it’s necessary to keep you and your clients protected and is a must if you have big plans for your career and business. So, don’t wait! Follow the PCI requirements today and lay the groundwork for your future success. To learn more about achieving and maintaining full PCI DSS Compliance, visit the PCI Security Standards Council website.
As a PCI DSS-approved Level 1 Service Provider, Boulevard manages your payment processing for you and help ensure your business is up-to-date with all requirements, so you can focus on honing your craft.