The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards, designed to ensure businesses which accept and process credit and debit card information, do so in a safe and secure environment.
No matter what industry you operate in or what size business you have, if you accept card payments and process, transmit and store cardholder data, you must host your data securely with a hosting provider that is PCI compliant.
The PCI security Standards Council was formed in 2006 by the five major credit card brands — American Express, Visa, MasterCard, Japanese Credit Bureau (JCB) and Discover. While each credit card brand has its own compliance programs, the PCI standards are the foundation for all of them.
While the Council has no legal authority, if your business intends to accept credit or debit card transactions, it will need to adhere to the standards of PCI.
What is PCI Compliance?
PCI comprises of a set of 12 specific requirements which cover six goals. Fundamental aims are to maximize security in relation to payments and to inform merchants about how to become more secure. And this means building and maintaining a secure network, protecting the data of card holders and regularly testing and monitoring the networks.
You’ll find four different levels of PCI compliance depending upon the volume of transactions your business transacts over a 12-month period. Transaction volume derives from the aggregate number of Visa transactions made, including credit, debit and prepaid card transactions from a merchant Doing Business As ‘DBA’.
If you sell under more than one DBA, consider the aggregate volume of transactions processed, stored or transmitted overall to determine your validation level.
If your company processes 20,000 transactions or less every year, or if the card data is processed solely by vendors such as shopping card providers, your business will have fewer PCI requirements and will be classified as Level 4.
If your business processes between 20,000 and 1 million transactions per year, you will be classified as Level 3. Businesses processing between 1 and 6 million card transactions in a 12-month period are classified as Level 2. Each level brings with it a higher number of compliance requirements.
Level 1 brings with it the largest number of compliance requirements reserved for businesses processing 6 million or more transactions per year or storing their own card data, writing their own code and running their own servers.
What Will PCI Compliance Cost My Business?
For a level 4 business with credit card data electronically stored on its site or processing systems with online connectivity, an Approved Scanning Vendor must regularly complete a website or network scan. The business’s staff must also complete a Self Assessment Questionnaire and Attestation of Compliance. This could cost as little as $60 a month.
If your business is Level 3, costs associated with a regular website or network scan by an Approved Scanning Vendor and completion of the yearly Self Assessment Questionnaire and Attestation of Compliance may rise to $1,200 annually.
For Level 2 businesses, this cost could climb to between $10,000 and $50,000 a year, depending on the number of IP addresses and the size of your network.
For companies at Level 1 of PCI compliance, costs can range from $50,000 upwards and involve not only the regular network scan by an Approved Scanning Vendor but also an Attestation of Compliance and an annual Report of Compliance by a Qualified Security Assessor.
What Can My Business Do to Meet PCI Requirements?
As suggested above, to ensure PCI compliance you will need to get regular website or network scans done by an Approved Scanning Vendor — no matter at what level your business is classified. Level 1 companies will also need to be assisted by a Qualified Security Assessor to carry out annual on-site evaluations.
For small businesses handling less than 6 million credit and debit card transactions per year, meeting PCI compliance standards fully requires only the assistance of an Approved Scanning Vendor and some work by your own staff.