First Data PCI Rapid Comply is one of several quick-fix solutions that aim to simplify PCI DSS compliance. Organizations that process credit card payments must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Among the tools and services available are options like PCI Rapid Comply. But, in reality, there is nothing simple or quick about PCI DSS compliance. For most organizations, a longer-term, comprehensive approach is most apt for trustworthy, seamless compliance. Read on to learn which compliance solution is best for you.
Is PCI Rapid Comply Right for Your Organization?
One of the main cost factors in any compliance engagement is speed. For this reason, a faster solution may always seem preferable. However, with PCI DSS, three considerations complicate whether PCI Rapid Comply or any other supposedly quick fix is a good fit:
- What it takes to implement cybersecurity controls commensurate to PCI compliance
- How your organization needs to report on and verify compliance, per Merchant Level
- Why it matters that compliance is flawless and airtight (i.e., the stakes of non-compliance)
These three factors show why a comprehensive PCI compliance implementation solution is the best option for most organizations. We’ll touch on how it can help throughout the sections below.
Download Our PCI DSS Checklist
PCI DSS Compliance: Required Implementation
PCI DSS Compliance begins with PCI DSS implementation. Your organization needs to install cybersecurity systems and controls that meet or exceed the twelve PCI DSS Requirements:
- Requirement 1 – Implement and maintain robust firewall configurations to protect CHD.
- Requirement 2 – Remove and replace default and vendor-supplied security settings.
- Requirement 3 – Protect CHD everywhere it exists in internal and external storage.
- Requirement 4 – Encrypt CHD for transmission across open, unsecured networks.
- Requirement 5 – Protect systems against malware with up-to-date antivirus software.
- Requirement 6 – Develop secure systems and applications; maintain their security.
- Requirement 7 – Restrict access to CHD according to users’ business need to know.
- Requirement 8 – Authenticate user identities prior to granting access to systems.
- Requirement 9 – Restrict physical and proximal access to systems containing CHD.
- Requirement 10 – Monitor access to and behaviors within systems containing CHD.
- Requirement 11 – Test security systems and processes at regular, frequent intervals.
- Requirement 12 – Maintain policies addressing security responsibilities for all staff.
An organization that already has its cybersecurity architecture fully optimized and audit-ready may benefit from a quick fix solution like PCI Rapid Comply. But there are many updates to the DSS (e.g., the impending v4.0 release), and your existing infrastructure may need adjustments. A PCI DSS advisory partner will help implement needed controls—or advise the process—and run readiness assessments in preparation.
PCI DSS Compliance: Reporting and Verification
Beyond installing the controls, there are also considerations about assessing them that might make a quick fix solution suboptimal. Different PCI stakeholders (i.e., VISA, Mastercard, etc.) require different reporting, but they all require significant compliance verification from the organizations with the largest transaction volumes.
Organizations with greater transaction volume must contract a Qualified Security Assessor (QSA) to test their controls and submit a Report on Compliance (ROC). However, merchants at lower transaction volumes need to submit an Attestation of Compliance (AOC) and/or a Self Assessment Questionnaire (SAQ), depending on their Merchant Level. Per VISA’s breakdown:
- Merchant Level 1 – Merchants that process over six million transactions annually—across all channels—must file a QSA-completed ROC along with their AOC.
- Merchant Level 2 – Merchants that process between one million and six million transactions annually—across all channels—must file a SAQ along with a verified AOC.
- Merchant Level 3 – Merchants that process between twenty thousand and one million transactions annually—in e-commerce alone—must file a SAQ along with a verified AOC.
- Merchant Level 4 – Merchants that process fewer than twenty thousand transactions annually—across all channels or up to one million VISA transactions—must file a SAQ.
A quick fix solution may not apply to a Merchant Level 1 organization, or it may be optimized specifically for a Merchant Level above (or below) what your organization needs. Further, an AOC must be filled out by an individual or third party certified as eligible to do so; often, organizations’ AOC needs are best served by a QSA.
PCI DSS Non-Compliance: Enforcement Penalties
Finally, the stakes: organizations must prioritize caution when selecting a PCI DSS compliance solution. Any minor slip-up in implementation, assessment, or anything in-between could result in an allegation, accusation, or occurrence of non-compliance. As with reporting requirements, these vary across PCI stakeholders. But generally, there are two kinds of enforceable penalties:
- Per-month fees – Penalties enforced monthly, with severity depending on Level:
- $5,000 – $10,000 for one to three months of non-compliance
- $25,000 – $50,000 for four to six months of non-compliance
- $50,000 – $100,000 for seven or more months of non-compliance
- Per-customer fees – Penalties enforced after a data breach, depending on Level:
- $50 – $90 per customer who is impacted in a data breach
Beyond these direct costs, there are also indirect consequences of non-compliance, such as reputational damage or even seizure of card processing capabilities from one or more PCI stakeholders. For these reasons, it’s imperative to solidify your PCI compliance approach.
Comprehensive, Flexible PCI Compliance Solutions
While PCI Rapid Comply is a supposedly easy solution for PCI compliance, streamlining the complex compliance process leaves much room for error. Instead, organizations need to perfect their implementation and reporting to avoid the steep fees of non-compliance.
Working with expert advisory partners over a longer term ensures greater ROI over time. So, to get started, contact us today!