PCI DSS stands for the Payment Card Industry Data Security Standard. Any business or organization that processes, stores or transmits cardholder data is required to adhere to PCI DSS. The credit card brands (Visa, MasterCard, Discover and Amex) created these security standards to prevent fraud and instate industry-wide standards.
PCI DSS is updated every year to ensure that it addresses vulnerabilities and reflects new technologies. But it can be both costly and challenging to meet PCI DSS requirements. We’ll dive into the associated costs and methods of getting PCI DSS-certified, along with tips to reduce your exposure.
PCI DSS Certification Costs
Maintaining a secure credit card data environment is critical for your business. Remember the major Target data breach of 2013? Target paid $18.5 million in fines and settlement fees. Target could afford that, but can your business? It’s important to take PCI DSS seriously, as not doing so could result in data breaches, fines and — at the very least — lost customers.
There are various tiers of PCI DSS. Level 1 is the highest achievable standard. Estimates put the cost of achieving PCI Level 1 security for your business at a cool $22,000 to $50,000 … annually! Because the requirements for PCI DSS change each year, it can be a daunting task to invest in (and maintain) that level of certification.
Additionally, testing your business to verify compliance can be time-consuming. To be thorough and potentially achieve PCI Level 1 status, you’ll have to undergo annual audits and security testing. And even after all that work, you’re out of luck if your Merchant Service Provider isn’t PCI-certified as well.
After all, your payment partners are the ones handling each transaction from the moment the card is processed until authorization is granted. Although we’ve focused mostly on your business thus far, the best way to get PCI compliant is to start with a PCI Level 1 provider and then do your best to instate policies that keep your business secure, too.
PCI DSS-Certified Providers
Visit the Visa Global Registry of Service Providers page and enter your provider’s name. This quick tool will tell you whether your payment provider is PCI DSS-validated, and when the certification expires. You can see if your provider is behind in renewing its PCI DSS-validation, and if it isn’t on the list, it hasn’t been PCI DSS-compliant in over 91 days. If this is the case with your provider, consider other providers who take security more seriously by proactively ensuring their validation never expires.
Many providers are targets of fraud due to the sheer volume of credit card data they process. Don’t leave your focus at your store (though we’ll dive into that next): Be aware of how a transaction is processed and how the data is secured from end to end. For in-person transactions, this means being concerned about your Merchant Service Provider, the Payment Processor and your credit card terminal or point-of-sale system. For online transactions, this includes any hosted checkout, third-party shopping carts, your Merchant Service Provider, Payment Processor and Payment Gateway.
It may feel like a lot to verify, but it’s entirely worth it. Concerned that your providers aren’t secure enough? Follow your gut and look into alternative providers who provide month-to-month PCI Level 1 services. Try them alongside your current provider and make the switch if you feel more at peace with the way your data is managed with the new provider.
What You Can Do to Stay Secure
Beyond partnering with secure providers, here’s a list of measures you can take to ensure that your business does its part to protect cardholder data:
- Implement anti-virus protection on your computers.
- Use a secure Wi-Fi network.
- Maintain up-to-date programs and operating systems.
- Stop storing credit card data manually or in a physical form.
- Eliminate the unsafe transfer of cardholder data (e.g., through email).
- Maintain individual, strong passwords for each staff member who uses your system.
- Screen emails for phishing attacks.
- Keep track of your payment processing inventory (i.e., credit card terminals).
- Inspect your devices routinely for embedded items.
- Train your employees to be vigilant and aware of potential signs of fraud.
- Upgrade to EMV-certified equipment.
- Avoid native software applications that access cardholder data.
These best practices will help prevent a damaging data breach from occurring at your business. The last tip — about avoiding native software — can actually reduce your PCI scope, effectively minimizing your exposure. By using a cloud-based terminal, you can keep your computer and network outside of PCI DSS and run an even safer operation.
Reduce your PCI DSS scope with a free EMV, cloud-based terminal.
Have further questions about PCI DSS? Let us know in the comments section below.
Editors Note: This post was originally published in November 2018 and has been updated for comprehensiveness and accuracy.