What is PCI compliance? A guide for businesses

Businesses that want to remain competitive must accept credit cards. However, credit card fraud, identity theft, and the theft of data are increasing at alarming rates.

As such, it's critical that companies protect their customers' payment card data. Lax security lets criminals steal and use consumers' personal financial information from payment transactions and processing systems.

Vulnerabilities can show up anywhere in the credit card processing environment, including online shopping applications, point-of-sale devices, and even when cardholder data is transmitted to service providers. Vulnerabilities can also appear in the systems of service providers and acquirers—in other words, the financial institutions that merchants use to process their debit or credit card payments.

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) can help companies protect cardholder payment account data. However, although PCI compliance improved in 2020, "the cybersecurity threats businesses are now facing are more cunning and evasive than they were even two years ago," according to the 2022 Verizon Payment Security Report.

What is PCI compliance?

The Payment Card Industry Data Security Standard is an information security framework that aims to help merchants and service providers protect debit and credit card transactions from data breaches.

All businesses that accept, transmit, or store cardholders' private payment card information must adhere to the 12 operational and technical PCI compliance requirements. This is to maintain secure environments as well as protect their customers’ cardholder data—and their reputations as reliable companies.

However, PCI DSS compliance is not a law or regulation; instead, it is an industry mandate. Still, companies that don't comply with PCI standards can be fined for negligence and violating agreements. For that reason, you should consider PCI compliance one of your critical online payment system features.

For the latest requirements see our new article about what merchants need to know about PCI DSS 4.0.

A timeline of PCI DSS
In 2004, in response to skyrocketing credit card fraud, Visa, Discover, Mastercard, American Express, and JCB launched PCI DSS 1.0. Then, in 2006, the card brands added other organizations to their security initiative, including merchants, financial institutions, point-of-sale vendors, software developers, and processor companies, and formed the PCI Security Standards Council (PCI SSC). The PCI SSC requires that businesses become PCI DSS compliant as well as demonstrate their ongoing commitment to securing credit card data.

Version PCI DSS 1.1 was released in 2006, and further revisions have been issued since then. The latest evolution of the standard, PCI DSS 4.0, was released on March 31, 2022. However, the previous version, PCI DSS v3.2.1, will still be active until March 31, 2024, giving companies two years to understand and implement PCI DSS 4.0. At that time, PCI DSS 4.0 will supersede v3.2.1. But businesses will have until March 31, 2025 to verify compliance with PCI DSS 4.0.

There are four ongoing steps to protect payment account data with PCI DSS 4.0:

Assess: Businesses must identify all locations where they keep payment account data. That means they must conduct an inventory of all their business processes and IT assets that are associated with payment processing, analyze them for flaws that could expose payment account data, update or implement necessary controls, and undergo a formal PCI DSS assessment.

Remediate: Companies must identify and address any gaps in their security controls, fix any vulnerabilities that they find, securely remove any unnecessary payment data storage, and implement secure business processes.

Report: Organizations must document the details of their assessments and remediations and submit compliance reports to the compliance-accepting entity, usually the payment brands or acquiring bank.

Monitor and maintain: Firms must confirm that the security controls they put in place to secure the payment account data continue to function appropriately and effectively throughout the year. Companies must implement these processes as part of their overall security strategies to help guarantee ongoing protection.

Learn more: PCI SAQs explained

Do merchants need to be PCI compliant if a third-party processes their payments?

Merchants using third-party payment processors still need to be PCI compliant. However, using third parties will most likely cut down their risk exposure and make it easier to validate compliance.

Third-party payment gateways use data security methods, such as tokenization, that allow companies to store tokens on their local servers instead of the actual data. Tokens replace sensitive card data without exposing actual account details. Tokenization enables businesses to offer customers one-click payments to make the checkout process easier and faster.

Using payment gateways can remove some of the burden of PCI compliance; however, businesses are still responsible for their own security, and they must commit to continually testing, strengthening, and updating their PCI compliance.

What are the 4 PCI compliance levels?

There are four PCI compliance levels that are determined by the number of transactions an organization handles every year. The payment brands, i.e., American Express, Visa, Mastercard, Discover, and JCB, have their own programs for compliance as well as their own thresholds for the levels of PCI DSS compliance.

Level 1: Businesses that process:

• 6 million or more Visa, Mastercard (combined with Maestro), or Discover transactions.
• 2.5 million or more American Express transactions.
• 1 million or more JCB transactions.

In addition, any business that:

• Has had a cyberattack or data breach that compromised cardholder data.
• Has been identified as Level 1 by one of the card schemes.

Key requirements:

• On-site assessment using the PCI DSS requirements and security assessment procedures conducted by an approved security assessor or a qualified internal security assessor.
• Quarterly network scan by an approved scanning vendor (ASV).
• Annual penetration test.

Level 2: Businesses that process:

• 1 to 6 million Visa, Mastercard (combined with Maestro), or Discover transactions.
• 50,000 to 2.5 million American Express transactions.
• Fewer than 1 million JCB transactions.

Key requirements:

• Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ). Validated by a QSA of ISA for compliance validation
• Quarterly network scan by an ASV.
• Annual penetration test.

Level 3: Businesses that process:

• 20,000 to 1 million Visa, Mastercard (combined with Maestro), or Discover transactions.
• Fewer than 50,000 American Express transactions.

Key requirements:

• Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
• Quarterly network scan for vulnerabilities by an ASV.
• Completion of the Attestation of Compliance (AOC) form.

Level 4: Businesses that process:

• Fewer than 20,000 Visa or Mastercard (combined with Maestro) e-commerce transactions or up to 1 million total Visa or Mastercard credit card transactions and that have not suffered a data breach or attack that compromised card or cardholder data.

Discover, American Express, and JCB don't have PCI Level 4 designations. Discover and American Express stop at PCI Level 3, while JCB stops at PCI Level 2.

Key requirements:

• Completion of the appropriate SAQ.
• Quarterly network scan by an ASV.
• Completion of an AOC.

Learn more: Opportunities presented by PCI DSS 4.0

How Checkout helps companies with PCI compliance

Checkout is PCI DSS Level 1 compliant (which is the highest standard set by the payment card industry). While PCI compliance may seem overwhelming at first, there are plenty of resources to lean on for help.

For example, Qualified Security Assessors (QSAs) are independent security organizations and individuals that have been qualified by the PCI Security Standards Council. QSAs can validate an entity’s adherence to the PCI DSS and can support merchants through the process.

To offer PCI compliance assistance to our merchants, Checkout.com has partnered with SecurityMetrics, a QSA company.

To find out more about how Checkout.com can help with implementing PCI compliance, see our documentation.