Even organizations that process transactions through secured payment platforms (such as PayPal or Stripe) may be required to meet some of these compliance requirements.
This standard was created to prevent the devastating consequences of financial data breaches for businesses and consumers alike. Companies found to not be in compliance after a breach face serious fines and penalties.
Full compliance with the PCI DSS standard covers six main areas of your system through 12 high-level controls. For most organizations, these must be validated every year. The Nathan teams are PCI DSS experts and Qualified Security Assessors, with an extensive guide written on the standard and years of experience as a trusted partner for both compliance and validation.
Who Should Comply with PCI DSS?
Any organization that processes card data must comply with PCI DSS. Merchants are usually businesses taking payment for a service they sell, such as a retailer or call center.
Depending on how a merchant processes card payments, and how many transactions they process per year, requirements for demonstrating compliance with PCI DSS will vary.
PCI DSS can also apply to organizations that provide services to businesses that handle credit card data, such as data centers and managed service providers.
This is true even if the service provider itself does not process card payments, nor have access to credit card information. As well as supporting their own customer’s PCI DSS compliance, service providers can differentiate themselves from their competition by becoming compliant with PCI DSS.
Why is PCI Compliance Important?
The United States is responsible for more than a third of the total global losses to payment card fraud, making it the most card fraud-prone country in the world. This is according to a 2020 Nilson Report, one of the most respected sources of news and analysis of the global card and mobile payment industry. It is estimated that the U.S saw $11 billion worth of losses during that period. Complying with the PCI DSS allows your organization to demonstrate your commitment to maintaining a secure environment for your bank and your customers.
Your organization can reduce the risk of a breach of credit card data by:
Implementing PCI DSS controls appropriate to how you store, process, and transmit cardholder data.
Engaging a QSA to independently validate your compliance.
Maintaining PCI DSS requirements as “business as usual”.
What Are The Penalties For Non-compliance With The PCI DSS?
Any organization that handles credit card data, but fails to comply with PCI DSS is at risk of a number of financial and reputational consequences including:
Non-compliance fees – a regular fine from your bank for failing to be compliant.
Reputational damage in the event of a breach.
Inability to process payments.
Fines from your bank in the event of a breach.
To help reduce risk and avoid penalties as a result of a breach or non-compliance, organizations must understand how they store, process, and transmit credit card data, and ensure that all applicable requirements of PCI DSS are in place.
What Are The 12 Requirements For PCI DSS?
The PCI DSS is divided into 12 sections, each containing a series of specific requirements. In total there are over 300 individual requirements, and depending on how you process card payments, some or all of these will apply to your organization.