As reliance on internet increases and data moves to the digital world, data protection becomes a serious concern for businesses all around the world. PCI SSC, formed in 2006, set the PCI DSS (Payment Card Industry Data Security Standards) to bring all payment card processing businesses on the same page and provide protection to consumers’ sensitive card information. While in the past it was only the large enterprises, today, all the Australian businesses have to meet the PCI DSS requirements no matter how small, or large they are.
In-depth Understanding of the PCI DSS Compliance
The PCI DSS requirements are a set of 12 requirements that all complying businesses have to meet. There are six logical groups in which these 12 requirements have been arranged. The six groups are as follows:
- Build and maintain a secure network (two requirements)
- Regularly monitor and test networks (two requirements)
- Implement strong access control measures (three requirements)
- Protect cardholder data (two requirements)
- Maintain an information security policy (one requirement)
- Maintain a vulnerability management program (two requirements)
While it seems that PCI SSC enforces the compliance with its set industry standards, that’s not the case. In fact, five members of the council and acquirer banks jot down the penalties, fines and regulatory measures to make all merchants PCI DSS Compliant. The major card brands enforcing these requirements are JCB International, Discover Financial Services, MasterCard, Visa, and American Express.
If you are an Australian business, here is how you can be PCI DSS compliant, regardless of the size of your business.
How to Make Your Business PCI DSS Compliant
The process is not complex but aligning your entire system with the requirements can be costly and time-consuming. First, you have to know that there are different merchant levels and you have to find out which one you belong to. To be precise, there are four levels based on the number of transactions they perform every year. The requirements to be at a particular level can be different from different payment card brands. Here are the four levels as defined by Visa.
- You are a level 1 merchant if you are processing more than 6 million Visa debit and credit card transactions annually.
- You are a level 2 merchant if the number of yearly transactions is between 1 million and 6 million.
- Merchants with annual transactions from 20,000 to 1 million are level 3 merchants.
- You are a level 4 merchant for less than 20,000 Visa card processing annually.
To complete the compliance procedure, you will first have to pick and fill the right self-assessment questionnaire as there are many variations of it. Secondly, you will have to complete the vulnerability scan as well, if you qualify for it. Thirdly, pick the right attestation of compliance for your business and complete it. Once you have filled these forms as per the instructions they come with (all the instructions are there in the packet), you have to submit them to the acquirer or acquirers if you are working with multiple of them.
(The acquirer is the bank or entity that the merchant uses to process their payment card transactions)
The Costs of PCI DSS Compliance
One of the frequent concerns for most businesses is how much cost they will incur to be PCI DSS Compliant. There is no set answer because there are many factors that can affect the costs of your PCI DSS compliance, starting from your merchant level to the security culture you have at your company. You also have to keep in mind that maintaining proper security is an ongoing process but once you have laid the foundation of the right infrastructure, the process will be smooth and less costly.
Non-compliance Can be Costly
When a merchant is non-compliant with the PCI DSS requirements, the payment card brands do not penalize them directly. They penalize the acquiring banks. However, the acquiring banks don’t wait too long before they shift those penalties to the merchants. These penalties can be as small as $5,000 or as big as $100,000 every month. For small businesses, these penalties can be devastating. Lastly, PCI DSS requirements might not be a part of Australia’s legislation, but they are an industry standard, and any cardholder data breaches resulting from your negligence can land you in the court.