In 2017, Target completed a multi-state settlement for $18.5 million stemming from a massive 2013 data breach that exposed customer credit card data (over 40 million records) and contact information (over 70 million records). Target's security was called into question, but it was actually an issue with its outside services: an HVAC supplier was noncompliant with the Payment Card Industry Data Security Standard (PCI DSS). This incident highlights the importance of PCI compliance, both internally and in association with your service providers, such as your Payment Processor.
PCI compliance is becoming an even more pertinent topic of conversation in the evolving compliance climate. The wide-ranging General Data Protection Regulation (GDPR) from the European Union went into effect on May 25, 2018. PCI DSS is also going through updates, with a new version having been released on February 1. Additionally, on June 30, new rules go into effect that will broadly impact e-commerce companies.
The time and cost of a PCI-compliant information technology setup will differ. However, this article will suggest estimates for both based on the 2018 requirements so you can maintain compliance moving forward.
The cost of PCI compliance ranges greatly. Estimates for the comprehensive PCI compliance of merchants and service providers are as follows for companies with relatively smaller IT environments, per 2015 figures:
|Security Level||Merchant Costs||Service Provider Costs|
|Level 1||$22,000 - $50,000||$22,000 - $75,000|
|Level 2||$15,000 - $40,000||$15,000 - $50,000|
|Level 3||$10,000 - $30,000||N/A|
|Level 4||$5,000 - $10,000||N/A|
For large enterprises, the expenses are much greater. Even back in 2007, Guitar Center spent nearly $500,000 to establish its PCI compliance, suggesting that the total ticket for some large enterprises is now in the millions.
The time needed to establish compliance with this payment card standard will vary based on numerous factors. Beyond the size and complexity of your business’s computing setup, you will also be fundamentally impacted by the amount of work necessary to get your systems prepared, which will depend on whether you set them up on-premises or with a PCI hosting provider.
The broadness of the requirements is evident in the official PCI DSS 3.2.1 document. A smaller organization can reasonably expect compliance to be achieved in 90 days, or within 30 days if the project is highly prioritized. In larger organizations, it may take longer. An organization of any size could significantly trim its timeline by working with a PCI hosting service and by tapping into the expertise of its other payment partners.
While the requirements of the PCI DSS 3.2.1 (a very slight revision of 3.2, as discussed below) are too extensive to discuss here, the latest changes to the standard are worth noting. These 2018 updates to the PCI standard are offered by Laura K. Gray of the PCI Security Standards Council:
PCI DSS 3.2 mandated the following for all entities that handle credit card account holder data:
Along with the two above requirements, service providers must additionally do the following:
Encryption has evolved as weaknesses have been discovered in earlier technologies and protocols. To this end, transport layer security (TLS) version 1.2 or higher is now necessary. It is no longer sufficient to use either earlier versions of TLS or secure sockets layer (SSL) certificates.
There is actually an exception to this rule, however. For point-of-sale (POS) and point-of-interaction (POI) terminals, if there are no known weaknesses related to the devices or the termination points to which they lead, it is still PCI compliant to use SSL or early TLS with those machines.
Here’s what you need to do by June 30 to ensure compliance with the SSL to TLS transition:
The language was simply changed to include new stipulations, such as the February 1 deadline to achieve compliance with the 3.2 stipulations.
Adhering to the parameters of the Payment Card Industry Data Security Standard is critical to avoiding fines from Card Associations and can also help with security, as indicated by the Target hack. If you are not currently PCI compliant, the easiest way to get compliant is by partnering with a PCI Level 1 provider, which will help ensure your payment systems are up to date. Additionally, partnering with a proactive provider can help you maintain compliance as new updates occur.
What questions do you have about PCI DSS? We’d love to help explain this concept in the comments section below.