What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all businesses who accept, process, store or transmit credit card information do so in a secure environment.

The Payment Card Industry Security Standards Council (PCI SSC), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB) was launched in 2006 in order to manage the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. 

Failure to meet the requirements of PCI DSS compliance means you may be subject to huge fines which can ultimately have a detrimental affect on your business. 

Although this all may sound like a great deal of work - the benefits are significant:

• Reduces the risk of data breaches

• Helps you avoid expensive fines

•  Protects customers’ sensitive data

• Simplifies global regulatory compliance

• Provides peace of mind for everyone

How do PCI Standards Work?

If your business accepts payment cards with any of the five members of the PCI SSC credit card brands (American Express, Discover, JCB, Mastercard, and Visa), then you are required to be PCI compliant.

The level of compliance you must adhere to depends on the number of transactions you process annually. For example, if you make a high volume of transactions (as described below) you are required to work with internal security assessors (ISAs), qualified security assessors (QSAs), and PCI-approved scan vendors (ASVs).

There are four different levels of compliance; these levels stipulate the requirements for which sellers are responsible. 

PCI compliance levels

• Level 1: Merchants that process over 6 million card transactions annually

• Level 2: Merchants that process 1 to 6 million transactions annually

• Level 3: Merchants that process 20,000 to 1 million transactions annually

• Level 4: Merchants that process fewer than 20,000 transactions annually

Every level has its own set of requirements to provide, including annual reports, network scans, filling out forms, and answering questionnaires.

Most businesses (small and medium) will generally fall under the level 4 category, however, it’s worth checking

Not only will your business face its own penalties, it’s likely you’ll have to compensate your customers as well for things like credit card monitoring and identity theft insurance. 

Not only that, the damage to your business’ reputation and loss of customer trust will be impacted potentially having a huge impact on profits and the growth. 

your service provider - such as Opayo – who can guide you through PCI DSS the process.

As already stated, there are serious consequences for not being PCI compliant.

PCI Compliance Checklist Requirements

In order to prevent the consequences of not being PCI  compliant it’s vital you  adhere to the 12 PCI DSS requirements outlined below. 

Remember, the requirements may change based on your transaction volume and level of compliance your company sits in. It’s up to you to monitor your transactions and choose the right level of compliance.

Build and maintain a secure network

• Install and maintain a firewall configuration to protect data

• Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

• Protect stored cardholder data

• Encrypt transmission of cardholder data across open, public networks

Create a vulnerability management program

• Use and regularly update anti-virus software or programs

• Develop and maintain secure systems and applications

Implement strong access control measures

• Restrict access to cardholder data by business need-to-know

• Assign a unique ID to each person with computer access

• Restrict physical access to cardholder data

Monitor and test networks regularly

• Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

Develop an information security policy

• Maintain a policy that addresses information security for employees and contractors

• We have further details on how to become PCI compliant here.

We have further details on how to become PCI compliant here.

Opayo are PCI Compliant

As a payment service provider (PSP), it is our top priority at Opayo to ensure that all data is kept secure at all times.

Our systems are scanned quarterly by the independent Qualified Security Assessor (QSA), Trustwave, as well as an Approved Scanning Vendor (ASV) for the payment card brands.

Under the Payment Card Industry Data Security Standards (PCI DSS) Opayo is also audited every 12 months and is a fully approved Level 1 payment services provider, which is the highest level of compliance. 

We are also active members of the PCI Security Standards Council (SSC) that defines card industry global regulation.

View our PCI DSS certificate

With this in mind, businesses who use us as their payment provider can feel confident that we take online payment transactions extremely seriously and work hard to reduce the risk of a data breach occurring. 

We continuously invest in the latest technology and testing and offer state of the art fraud screening. We worry about your payment security, so our customers don’t have to. For further information click here.

Conclusion

Accepting online payments from your customers requires you adhering to a number of rules and regulations and yes, the process of reaching PCI compliance does take time and can seem like an overwhelming task, but it ultimately can save your business. 

PCI guides, checklists, and templates will help you and your teams complete day-to-day tasks associated with each requirement. 

Partnering with a payment service provider, like Opayo, can help to guide you through this process and keep your online payments program running smoothly.

If you have questions or concerns about PCI compliance or would like further information, feel free to contact us today!