What Is PCI Compliance?

The Payment Card Industry Standards Council enforces standards on businesses to protect transaction and cardholder data. PCI compliance uses 12 security standards that businesses follow when processing, storing, and accepting credit card data for payments. While not enforced by law, PCI compliance standards guide businesses to protect customers.

What Are the Six PCI DSS Compliance Goals?

The PCI compliance set of standards, established by the PCI Security Standards Council, are broken into six goals:

Build and maintain secure network systems: use security controls to prevent criminal activity from impacting a business’s site and accessing payment or cardholder data
Protect cardholder data: Protect against unauthorized use of cardholder data
Maintain a vulnerability management program: identify weaknesses in your business’s payment card infrastructure system and implement security procedures and controls
Implement strong access control measures: restrict physical or technical access to PAN and other cardholder data by granting access on a need-to-know basis
Regularly monitor and test networks: testing and monitoring networks protects against malicious activity that could put security of data at risk
Maintain an information security policy: a security policy ensures that a business’s entire company complies with protecting cardholder data through informing employees of expected duties

These goals are enforced through a set of security standards that ensures businesses comply with all the best practices of the PCI Security Standards Council.

PCI Compliance Standards

There are 12 security standards that make up PCI compliance. These security standards are:

Install and maintain a firewall to protect cardholder data
Create unique system passwords and other security parameters to avoid using vendor-supplied defaults
Protected stored cardholder data
Encrypt cardholder data across open and public networks
Protect against malware using updated anti-virus software
Develop and maintain security systems and applications
Restrict access to cardholder data by business need-to-know
Identify and authenticate access to system components
Restrict physical and technical access to cardholder data
Track and monitor access to both network resources and cardholder data
Regularly test security systems
Address information security through a policy applied to all business personnel

Following these set standards indicates PCI compliance and protects previous payment data from customers. Compliance can also lead to higher transaction satisfaction with your customers through the reassurance of their protected data.

PCI Non-Compliance Fee

When the 12 standards of PCI compliance are not met, your business risks being held accountable for PCI non-compliance fees. These fines come from your payment processor and can add up in cost depending on the severity of the violation. These fines may show up when there are breaches in the security of cardholder data. In some cases, they may show up even when a business is complying. To help avoid high fees, businesses should implement the best practices outlined through the 12 set standards.

PCI Compliance Fee

Some credit card processors charge a PCI compliance fee that ensures that merchant accounts meet the PCI DSS requirements. This can either be a monthly or annual fee. The fee occurs to cover the payment processor or merchant service provider costs of providing tools, resources, and support. Those tools, resources, and support help merchants ensure that they comply with the PCI DSS requirements to avoid the risk of non-compliance fees and data breaches.

Is PCI Compliance Required By Law?

PCI compliance is not required by law. However, PCI compliance helps reduce the risk of data breaches by protecting cardholder data with security measures. It can also help protect brand reputation from the risk of a data breach that could impact the satisfaction of customers with your business.

The standards of PCI compliance are maintained by the Payment Card Industry Security Standards Council, which is an independent company. This company was put in place by major credit card brands to protect cardholder data. It is an industry way of self-regulating important information so that both credit card companies and businesses holding cardholder data are held accountable for preventing data breach of important customer information. Non-compliance can lead to fees and even put a business at risk of losing the ability to process payment cards. This lost ability would come from the payment processors.