If your company processes credit and other card-based financial transactions, you need to abide by the Payment Card Industry (PCI)’s Data Security Standards (DSS), published by the Security Standards Council (SSC). Neglecting these frameworks can result in severe consequences for your business.
But exactly what happens if you are not PCI compliant, and what can you do to make sure no compliance penalties are enforced on your company? This guide answers these questions and more.
What Happens if You Are Not PCI Compliant?
Before understanding how bad noncompliance can be, it’s essential to grasp just how common it is. According to Verizon’s most recent Payment Security Report, a majority of companies have failed to reach full compliance for the greater part of the past decade. The only two exceptions occurred in 2016 and 2017, in which 55.4 and 52.5 percent of businesses, respectively, fully complied.
What happened to all those companies?
In this guide, we’ll break down everything you need to know about non-compliance and how to avoid it, including:
- Non-compliance fees, who enforces them, and hidden costs
- Requirements for compliance across both PA and PCI DSS
- The process of verifying compliance through a third party
But first, let’s take a quick look at exactly who needs to be compliant and why.
Who Exactly Needs to Be PCI Compliant?
Compliance with PCI DSS requirements applies more or less unilaterally to all companies that process and store cardholder data. But the exact specifications for validating compliance differ depending on a given company’s average annual volume of payment card transactions.
There are four “levels,” per Visa’s PCI compliance support guide, which break down as follows:
- Level 4 – Merchants processing less than 20 thousand e-commerce transactions per year, as well as others processing less than one million total transactions (all channels)
- Level 3 – Merchants processing 20 thousand to one million e-commerce transactions per year, regardless of activity across all other channels (physical, payment platforms, etc.)
- Level 2 – Merchants processing one to six million transactions per year (across all channels)
- Level 1 – Merchants processing over six million transactions per year, across all channels, and Global merchants Visa deems to be level 1 in any given region
These levels are in reverse order because of their relative thresholds, which are highest at the “lowest” level (level 1). Likewise, the particular requirements for validation of compliance are also at their most stringent at level 1.
But compliance itself is the same at all levels.
Breakdown of Noncompliance Penalties
The specific penalties your company will face for PCI noncompliance depend on several factors. Firstly, your business’s size and nature will determine how big of a fine or penalty you are assed. Secondly, the extent of non-compliance is also an important determinant.
The most common ranges for fines break down across four distinct categories:
- One to three months of non-compliance – Between five thousand dollars per month for low-volume clients and ten thousand dollars per month for high-volume clients
- Four to six months of non-compliance – Between 25 thousand dollars per month for low-volume clients and 50 thousand dollars per month for high-volume clients
- Seven or more months of non-compliance – Between 50 thousand dollars per month for low-volume clients and 100 thousand dollars per month for high-volume clients
- Additional fines for data breaches – Between 50 dollars and 90 dollars per customer impacted by a data breach, again depending on volume transactions per month
And thirdly, the actual payment processor you have a merchant account with will also determine the fine you have to pay. Surprisingly, the PCI SSC itself is not responsible for enforcement.
Who Enforces PCI Compliance Penalties?
The PCI SSC was created in 2006 when five of the most prominent stakeholders in the credit and lending industries came together: Visa, MasterCard, American Express, and JCB International.
Governance of the PCI SSC and authorship of the PCI DSS are shared equally across all five members. However, the actual verification of compliance and enforcement of noncompliance penalties is undertaken individually by each institution. In practice, this means companies never come into contact with the SSC itself; instead, they are contacted by JCB, Discover, etc.
Furthermore, the actual body that removes funds from your account in the case of a fine may be another institution altogether. For example, in a 2012 legal battle, two restaurant owners filed suit against US Bank over PCI-related penalties being removed improperly from their accounts.
The Hidden Costs of PCI Noncompliance
Direct penalties enforced by the payment processors are far from the only consequence of noncompliance. The biggest threats are cybercrime itself — direct theft, fraud, and related reputational damage.
Not following PCI requirements opens you up to potential long-term costs.
Consider these takeaways from IBM and Ponemon Institute’s study on data breaches:
- The average cost of a data breach to a company worldwide is 3.86 million dollars
- In the global healthcare industry, a data breach costs 7.13 million dollars on average
- For companies based in the US, the average cost of a data breach is 8.64 million dollars
- Across all companies, it takes an average of 280 days to identify and contain a breach
In addition, noncompliance can lead to your company being placed on the Visa/ MasterCard Terminated Merchant File (TMF). This can have long-lasting reputational impacts on your ability to do business with banks, merchants, and other institutions; it lasts for a minimum of five years.
PCI Compliance Requirements
The PCI compliance requirements’ primary set is set out in the Payment Card Industry Data Security Standard (PCI DSS), the PCI SSC’s flagship framework. But many companies also need to implement a set of requirements laid out in the Payment Application Data Security Standard (PA DSS), formerly known as Payment Application Best Practices.
Altogether, both frameworks comprise 26 total requirements (12 PCI DSS, 14 PA DSS), all of which need to be implemented independently of each other regardless of overlapping controls.
However, the PCI DSS requirements are more critical to understand and implement since a workaround for PA DSS compliance exists in the form of pre-approved platforms ready for deployment. The following sections will detail all requirements, beginning with the PCI DSS:
Breakdown of PCI DSS Requirements
At the core of the PCI DSS sit six logical groups that house its 12 main security requirements. Its requirements all break down further into sub-requirements, and there are testing procedures and guidance notes provided for each in a matrix in PCI DSS v.3.2.1, pages 19 through 155.
These groups and main requirements breakdown as follows:
- Build and maintaining secure network systems – Including two requirements:
- 1. Install filtering safeguards, such as firewalls, to protect cardholder data
- 2. Replace vendor-supplied security configurations with new, stronger ones
- Protect cardholder’s sensitive data – Including two requirements:
- 3. Encrypt and otherwise protect cardholder data stored on internal servers
- 4. Encrypt and otherwise protect cardholder data transmitted on public networks
- Develop a vulnerability management program – Including two requirements:
- 5. Keep antivirus and antimalware software and programs (etc.) up to date
- 6. Monitor for and patch security vulnerabilities across systems and applications
- Implement a strong access control program – Including three requirements:
- 7. Restrict access to cardholder data by given users’ “business need to know”
- 8. Restrict access to cardholder data with robust authentication protocols (MFA)
- 9. Restrict physical access to cardholder data with proximal hardware safeguards
- Test and monitor your networks regularly – Including two requirements:
- 10. Monitor all access to networks and systems connected to cardholder data
- 11. Test the security of networks and systems regularly to protect cardholder data
- Develop and update an information security policy – Including just one requirement:
- 12. Develop, update, and disseminate company-wide policies for data security
While these 12 requirements offer comprehensive security oversight of card-based payments, they fail to address elements of payment application systems. Hence the PA DSS.
Breakdown of PA DSS Requirements
Similar to the PCI DSS, the core of PA DSS comprises 14 security requirements. These aren’t distributed in groups, but they break down into sub-requirements, with guidance, like those in PCI DSS. Similarly, they are detailed in a matrix in PA DSS v.3.2, pages 14 through 74.
The 14 requirements of PA DSS, including overlaps with PCI DSS, break down as follows:
- Requirement 1 – Do not store or otherwise retain sensitive card verification or PIN data
- Requirement 2 – Protect all stored cardholder data that is retained, i.e., with encryption
- Requirement 3 – Utilize authentication features to restrict access to cardholder data
- Requirement 4 – Log and analyze information relevant to payment application activity
- Requirement 5 – Develop secure infrastructure and practices on payment applications
- Requirement 6 – Safeguard all transmissions that occur across wireless networks
- Requirement 7 – Monitor for vulnerabilities and maintain up to date application patches
- Requirement 8 – Facilitate maintenance of network security integrity for safe data traffic
- Requirement 9 – Ensure cardholder data is never stored on internet-connected servers
- Requirement 10 – Secure and facilitate remote (cloud) access to payment applications
- Requirement 11 – Use encryption for all transfers of sensitive data on public networks
- Requirement 12 – Secure all administrative, non-console access to cardholder data
- Requirement 13 – Provide a PA DSS implementation guide for clients, customers, etc.
- Requirement 14 – Assign PA DSS responsibilities and devise training for all personnel
Implementation of all 14 requirements is not necessarily required for all companies. PCI SSC publishes a list of verified PA DSS compliant applications, including many ready for immediate deployment. But the list frequently changes, so you need to monitor for continuous compliance.
Assessment, Verification, and Compliance
Compliance with PCI DSS and PA DSS, along with other PCI frameworks, takes more than just implementing all requirements and sub-requirements. Your company also needs to document and verify implementation through internal reporting or external audit, depending on your level.
To return to Visa’s PCI guide, compliance verification requirements breakdown as follows:
- Level 4 – Annual completion of a Self Assessment Questionnaire (SAQ) from PCI SSC, or equivalent exercise that falls within Visa’s requirements for small businesses
- Level 3 – Annual completion of an SAQ, along with self-submission of an Attestation of Compliance (AOC) form, also available from the PCI SSC’s Document Library
- Level 2 – Same requirements as level 3, except in exceptional cases determined by the SSC
- Level 1 – Annual submission of a Report on Compliance (ROC) form, verified by a Qualified Security Assessor (QSA) or internal personnel, along with AOC submission
In addition to these annual reports, certain other PCI compliance elements require more frequent, third-party verification. For example, PCI DSS requirement 11.2.2 calls for regular vulnerability scans by approved scanning vendors (ASV) once per quarter for most companies.
The Impact of Professional Advisory Services
The best way to cover all your bases and guarantee none of the consequences detailed above happen to you is by contracting with a services provider for all-in-one PCI DSS services. Here at RSI Security, we offer everything you need for immediate and long-term compliance, including:
- Comprehensive PCI implementation verification (ROC, AOC, etc.)
- External vulnerability scanning (ASV services, per requirement 11.2.2)
- PCI gap assessment and patch management (per requirement 6.2)
- Internal and external penetration testing focused on PCI controls
- Scope reduction discovery to define and protect PCI assets
- Live and asynchronous employee education and training
- PCI QSA remediation guidance and management
See our PCI DSS Data Sheet for more information on how we can help. The talented team at RSI Security has helped companies achieve PCI and broader compliance (HIPAA, etc.) for over a decade. Now that you know what happens if you are not PCI compliant, it should be clear just how important it is to get your defenses in order. Contact RSI Security today to get started!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.