If you’re an online retailer or other kind of business that processes financial transactions, you may be wondering if PCI DSS (Payment Card Industry Data Security Standard) compliance is a legal requirement for you to follow. The answer is fairly simple and straight-forward, but it can be a little confusing without deeper explanation.
To immediately answer the question, PCI compliance is currently not mandated by any federal regulations, within the United States. There are several states with state-level laws that may refer to PCI compliance, but overall, there is no law that mandates PCI compliance in the United States, or the United Kingdom.
However, it’s in your best interest to be PCI DSS compliant, as it offers several layers of protection to both the consumer, and the retailer. It protects the credit cardholder against theft and data breaches, and this also helps to minimize the damage of a data breach against your business.
The PCI Security Council has outlined 12 general steps to ensuring PCI DSS compliance, but there are also over 200 sub-requirements, depending on your type of business. Not all of the sub-requirements may be applicable to you. However, the 12 general steps as outlined by the PCI Security Council are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other
- security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Failure to adhere to PCI compliance can lead to the following consequences for your business:
- Financial entities like credit card companies can impose penalties, up to $100,000 per month of PCI non-compliance, depending on factors like the volume of transactions and clients your business processes. Furthermore, any penalties suffered by banks or payment processors as a result of non-compliance will be transferred to the company guilty of it, which can severely affect the relationship between the banks and the company.
- In the event of a data breach, your company can be fined between $50 – $90 USD per card holder whose information was stolen.
- The Federal Trade Commission also monitors companies that choose to be non-compliant, and can decide to frequently audit and impose their own penalties for remaining non-compliant. For small companies, the cost of PCI-DSS certification may feel expensive, but it’s far worse to remain non-compliant over time, especially in the event of a data breach.
PCI DSS compliance is basically a cyber liability insurance for your business. If it feels like mobster extortion, “Pay up or bad things will happen!”, it’s really not.
You’re paying to protect your customers from financial theft, which could happen as a result of your non-compliance, and with all the news about massive data breaches between 2015 – 2019, it’s an entirely possible scenario. You’re not doing your business any favours by choosing to be non-compliant with PCI-DSS regulations.