The Payment Card Industry Data Security Standard (PCI DSS) was created by the Payment Card Industry Security Standards Council (PCI SSC). This council includes brands like MasterCard, VISA and American Express. It was created to develop, encourage, and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Whilst PCI DSS is not a law, it is a contractual agreement, and there can be consequences for non-compliance.
PCI DSS applies to all businesses worldwide that store, process and/or transmit cardholder data. In short, that is all businesses that accept cards as a means of payment, whether online or in a store.
Compliance is important to prevent a breach or a fine, but it also increases customer confidence that their card data is processed safely by the organisation.
PCI DSS is not a law. It is a contractual agreement between the business and the acquiring bank the money is paid into. However, some states in the USA have incorporated the standard into state law (Washington and Nevada, for example).
Regardless of the size of the company or amount of payment transactions, any organisation involved in payment card processing is contractually required to be PCI DSS compliant. Without compliance, legal action could be taken, or fines imposed.
PCI DSS fines are based on each individual business and the circumstances. Fines can be imposed for non-compliance to all or parts of the standard, or for a breach caused by lack of compliance.
The fines vary, and can be imposed annually, monthly or ad-hoc. They can range from $1000 to $100,000 per month depending on the severity of the non-compliance. If a breach occurs in an organisation, the cost and time to recover often outweighs the actual cost of the fine, so it is important to comply.
Businesses are categorised into four levels, depending on the number of annual transactions, and each brand (Visa, Mastercard etc) have their own levels, but typically the levels are as follows:
Depending on your level, which your acquiring bank will make you aware of, you may need to submit a Report on Compliance by a Qualified Security Assessor, or for lower levels, only a Self-Assessment Questionnaire is required.
If you’re looking for more information on PCI DSS compliance, our online guide includes more information about the 12 requirements, the types of cardholder data and the assessment process. Click the button below to download a free sample document from our PCI DSS toolkit.