|
|
|
What is PCI Compliance?

What is PCI Compliance?

Nuvei recognizes the need for the highest security available to protect our merchants and their customers. In compliance with PCI Data Security Standards, we have met and surpassed all requirements set forth as a Level 1 Service Provider.

The phrase ‘prevention is better than cure‘ applies to payments as much as any other field.

Payment card industry (PCI) compliance is an essential part of an effective fraud prevention program. Let’s take a look at what it is and how it works.

But before that, let’s briefly survey exactly why it’s needed

The scale of fraud

The average cost of a data breach worldwide reached an all-time high of 4.35 million USD in 2022.

The Canadian Anti-Fraud Centre (CAFC) recorded 29,500 cases of identity fraud alone in Canada in 2021, compared with 20,400 the year before.

And in the UK, 1.3 billion GBP was stolen in authorized or unauthorized fraud.

Prevention played a role in the bigger picture. For example, banks and financial institutions prevented 1.4 billion GBP in fraud in the UK in 2021.

But there are many challenges facing businesses and the payments industry in the years ahead.

The annual worldwide cost of cybercrime is predicted to rise from 6 trillion USD in 2023 to 10.5 trillion in 2025.

PCI compliance for your business

Like every business owner, you’re busy running your company and taking care of a million different things every single day. There’s little to no time in your day for matters that don’t concern the day-to-day operations of your business.

Fraud prevention, however, should be one of those day-to-day priorities.

Your patrons’ trust is one of the most valuable assets your business has. Stolen personal data can destroy the trust and good relationships that you build with your clients over the years.

A data breach can seriously damage your brand’s reputation. And there’s a high cost associated with the breach.

Many merchants think that data breaches only happen to big companies. But in reality, the vast majority of credit card data breaches have affected smaller companies.

That’s why it’s so important to follow payment card industry compliance rules and regulations and stay compliant at all times.

Otherwise, you might face a range of risks of fines, lost time, lost customers, legal fees, and a damaged reputation…

What is PCI compliance?

PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS) – a set of security requirements aimed at protecting cardholder data during transactions.

The Payment Card Industry (PCI), which includes Visa, MasterCard, American Express, and other leading card brands, requires PCI compliance. And the standards are maintained by the PCI Security Standards Council (PCI SSC).

To obtain and maintain a certificate of PCI compliance, service providers, banks, and high-volume merchants need to follow strict security guidelines. And a third-party security assessment checks their compliance with these guidelines.

What are the PCI compliance requirements?

There are different levels of PCI compliance requirements (see below, ‘Are there different PCI compliance levels?’). And there are different categories of specific requirements, including:

  • Principle requirements (see below)
  • Base requirements
  • Test procedures

These are occasionally updated, so it’s always worth checking the Official PCI Security Standards Council’s website for news and information on updates.

The principle PCI DSS requirements

Below is a high-level overview of the PCI requirements from the Vol. 4.0, March 2022 update of the standards (see below, ‘What is PCI DSS v4.0?‘).

Build and Maintain a Secure Network and Systems

  1. Install and Maintain Network Security Controls
  2. Apply Secure Configurations to All System Components

Protect Account Data

  1. Protect Stored Account Data
  2. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Maintain a Vulnerability Management Program

  1. Protect All Systems and Networks from Malicious Software
  2. Develop and Maintain Secure Systems and Software

Implement Strong Access Control Measures

  1. Restrict Access to System Components and Cardholder Data by Business Need to Know
  2. Identify Users and Authenticate Access to System Components
  3. Restrict Physical Access to Cardholder Data

Regularly Monitor and Test Networks

  1. Log and Monitor All Access to System Components and Cardholder Data
  2. Test Security of Systems and Networks Regularly

Maintain an Information Security Policy

  1. Support Information Security with Organizational Policies and Programs

Are there different PCI compliance ‘levels’?

Yes, there are four different PCI compliance merchant levels. They are each based on a different transaction volume range over 12 months.

See the table below for the different merchant levels as defined by Visa.

The 4 merchant levels of PCI compliance

[Table]

What are the penalties for non-compliance?

Non-compliance with PCI standards can be very costly…

Acquiring banks face fines of anywhere from $5,000 to $100,000 per month for PCI compliance violations.

These sums could be critical for smaller organizations, and force them to go out of business.

Merchants aren’t always fined directly, but penalties can affect them downstream via increased transaction fees or even termination of banking relationships.

Advantages of PCI DSS compliance

  1. Prevents or reduces fraud

PCI compliance helps companies implement best practices that will prevent or reduce fraud. These standards are continually updated and incorporate input from a range of industry experts.

  1. Builds trust with customers and partners

Knowing that your company is PCI compliant reassures others that your company can maintain secure systems.

And some potential partners – particularly larger companies – may require it.

  1. Builds eligibility for additional regulations

Being PCI compliant places your company in a good position to be compliant with several other security compliance frameworks and standards.

These include:

  • ISO/IEC 27001
  • GDPR (General Data Protection Regulation)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • SOC (System and Organization Controls)

This is in large part due to the fact that some aspects of good security protocols carry over.

Disadvantages of PCI DSS compliance

  1. It’s technical and complicated

PCI compliance covers a wide range of payment processing-related areas, including network security, data storage, and encryption.

Implementing its requirements to a high standard takes a deep and varied knowledge of a sophisticated and technical field.

The PCI DSS compliance standards are also periodically updated to address new security threats and vulnerabilities. Staying compliant means keeping up-to-date with these changes and their implementation.

  1. It’s expensive

The exact cost of gaining PCI certification depends on the size and scale of your organization and what level of compliance you have.

Besides using your internal resources, it also requires third-party partnerships.

There are approximate estimates for average costs online from various sources. They tend to converge at around 20,000 USD for small companies and between 35,000 – 200,000 USD for larger ones.

Other costs include quarterly external vulnerability scanning, internal vulnerability scanning, and annual external and internal penetration tests.

How many companies are PCI compliant?

PCI compliance is mandatory for all organizations that transfer and store cardholder data.

Back in 2017, Verizon’s global managing director for security consulting Rodolphe Simonetti, global managing director commented:

“Whilst it is good to see PCI compliance increasing, the fact remains that over 40 percent of the global organizations we assessed – large and small – are still not meeting PCI DSS compliance standards. Of those that pass validation, nearly half fall out of compliance within a year — and many much sooner.”

But according to a 2020 report by Verizon, companies that met full global PCI DSS compliance levels increased to 43.4% (from 27.9% in 2019).

The importance of performing regular vulnerability scans

Many data security breaches however are preventable. They still tend to be unsophisticated and can be repealed with strong basic defences.

If your business is using an IP connection, you should perform a vulnerability scan every three months.

The compliance scan includes internal and external vulnerability scans via our approved scanning vendor (ASV). Both scans must be performed on a regular basis to make sure the security systems are up to date.

A vulnerability scanner is a program designed to scan the weak points in your networks and find areas that need improvement. It also assesses your setup.

The scanner identifies the points where the network is open to compromises by checking:

  • Ports
  • Devices that might connect remotely
  • Security cameras
  • Website

An external vulnerability scan looks for holes in your network firewalls, where malicious outsiders can break in and attack your network.

The fines possible for breaches (see above, ‘What are the penalties for non-compliance?’) could become critical for a smaller company. It could even force it to go out of business.

That’s why it’s so important to perform a compliance scan on a regular basis.

It’s much easier to take actions to prevent a breach from happening than it is to deal with consequences after.

Other PCI compliance-related questions:

What card transactions does PCI compliance apply to?

PCI compliance applies to all debitcredit and prepaid cards branded with one of the five card association (or card brand) brand logos that participate in the PCI SSC:

  • American Express
  • Discover
  • JCB
  • MasterCard
  • Visa International

What exactly is ‘cardholder data’?

Cardholder data is any and all stored, processed, or transmitted information that can personally identify or be associated with the cardholder. This includes name, address, account number, and more.

Where can I find the PCI Data Security Standards (PCI DSS)?

Nuvei has been issued a certificate of PCI Compliance toward the requirements of the Payment Card Industry (PCI) Data Security Standards (DSS) validation methods.

You can find them on the PCI SSC’s Website.

What is PCI DSS v4.0?

Since it was first launched in 2006, PCI DSS has undergone several updates. PCI DSS v4.0 is the latest version. Its development began back in 2017 and it was released in 2022.

It replaces a previous version (PCI DSS v3.2.1) which is also valid, but only until 31 March 2024.

PCI DSS v4.0‘s stated goals are:

  • Ensure the standard continues to meet the security needs of the payments industry
  • Add flexibility to support different technologies being used to achieve security
  • Promote security as a continuous process
  • Enhance validation methods and procedures

An example of one of its methods for meeting the first point above was to introduce multi-factor authentication for all access into the cardholder data environment (CDE). This comes in addition to existing remote multi-factor authentication requirements.

What if I only accept credit cards over the phone, does PCI still apply to me?

As mentioned above, any business which stores, processes, or transmits cardholder data must be PCI compliant.

If my business has multiple locations do I need to validate PCI Compliance for each location?

Unless each location processes under a different Tax ID, then you are only required to validate once annually for all locations. You may also be required to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV), if applicable.

Nuvei’s PCI compliance self-assessment questionnaire (SAQ)

Our self-assessment questionnaire (SAQ) is designed to help businesses create proper business processes and procedures to keep their customers’ sensitive data safe.

It consists of a list of questions that help merchants understand correct PCI processes on an intuitive level.

For example:

Are hardcopy materials cross-cut shredded, incinerates, or pulped so that cardholder data cannot be reconstructed?

At its core, this question tells you how hardcopy materials are supposed to be disposed of in a PCI compliant way.

Each question provides clarification and guidance and helps create internal processes and correct practices for your business.

Head to the website of our PCI solution provider to take our SAQ. The website will guide you through the steps and help you select the right category for your business.

Conclusion

The rising scale of fraud is a signal about the importance of PCI compliance in protecting cardholder data.

PCI compliance refers to adherence to the Payment Card Industry Data Security Standard (PCI DSS), which is maintained by the PCI Security Standards Council.

The requirements for PCI compliance include points such as:

  • Building and maintaining secure networks and systems
  • Protecting payment card data
  • Maintaining a vulnerability management program

and more.

PCI DSS compliance has several advantages, including preventing or reducing fraud, building trust with customers and partners, and building eligibility for additional regulations.

However, there are also some disadvantages. It is technical and complicated and expensive – though the exact cost of gaining certification depends on the size and scale of the organization.

Non-compliance can lead to significant fines for financial institutions, increased transaction fees, or even termination of banking relationships for their customers.

To maintain compliance, businesses should perform regular vulnerability scans to identify and address weaknesses in their networks.

Using a self-assessment questionnaire (SAQ) can help businesses understand and implement proper PCI processes.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Recent Posts
BROWSE BY TAGS