5 Things to Know About the PCI Software Security Framework in 2019


Everyone sells something online, nowadays. Through social media networks, people sell a digital image of themselves to the world. While this image doesn’t often directly translates into money, it can translate into career advancement—through LinkedIn—or brand awareness—through Facebook pages.

You can run Instagram ads and send people to your website, where you offer a valuable product or service. You can create a Facebook shop and sell products directly to Facebook users. You can build a digital shop through e-commerce platforms like Shopify. In our digital age, you can do a lot of things that translate directly or indirectly into a sale.

You can sell any product or service you want. You can sell to any person or entity throughout the world. You can choose a strictly digital product or a physical object that needs to be delivered to your customer chosen location. In our age of advanced technology and consumer-centric society, there are many options for almost any type of entrepreneurial objective.

There is one thing that should never be seen as optional—PCI compliance, which is the only regulatory guideline that stands between cybercriminals and credit card data. PCI compliance can be the difference between a safe financial transaction and credit card fraud. The latter can be the difference between a successful business and failure.

Read on to learn five key facts about PCI compliance, including how it relates to your business, what you can do to achieve compliance, and what bad fortunes can befall a business that fails to achieve PCI compliance.

1. What Is PCI DSS, SSC, and PA-DSS—Making Sense of All the Acronyms

Technology and legal terminologies are often filled with acronyms, and it can be hard to make sense of the meaning. The following explanations can help you understand the most important PCI terms and how they relate to your business.

PCI SSC = The Regulation Entity

The Payment Card Industry Security Standards Council (PCI SSC) is a council that was formed for the purpose of managing the development of PCI standards. The council is maintained by the following payment brands: Visa, American Express, MasterCard, JCB, and Discover.

PCI DSS = The Standards Enforced On Your Business

The Payment Card Industry Data Security Standards (PCI DSS) is made up of guidelines created to regulate the protection of credit card information and related sensitive data. PCI DSS relates to every aspect of your security ecosystem—from the network and hosting to software and users, data management and security, and personnel training.

PCI PA-DSS = The Standards Enforced On Your Software Provider

The Payment Application Data Security Standard (PCI PA-DSS) regulates the security controls covered by payment applications. PCI PA-DSS ensures software vendors provide their clients with PCI compliance-ready software  and covers the PCI standards relevant to the PCI software security framework.

2. Why Is PCI Compliance Important?

Full PCI compliance helps businesses maintain the security of payment information as it passes through the systems of the business. Any credit card data that comes into contact with your systems should be protected according to the PCI standards, including:

  • Cardholder Data (CD)—such as Primary Account Number (PAN), cardholder name, service code, and expiration date.
  • Sensitive Authentication Data (SAD)—such as magnetic-strip data, credit card security codes, and Personal Identification Number (PIN) codes.

According to Verizon’s PCI report, there’s a strong connection between noncompliance with PCI DSS and data breaches. During Verizon’s investigation, none of the companies that were breached were PCI-compliant. This conclusion is enforced by a 2017 SecurityMetrics study that revealed that merchants that weren’t compliant with a minimum of 47 percent of PCI DSS requirements, were breached.

Data breaches can cost $4 million, not to mention the loss of brand authority once the word gets out that you were breached. You can find yourself losing customers and business partners while fending lawsuits, audits, and fines. For this reason, the PCI DSS is strictly against storing SAD data after authorization and encourages enforcing overall cybersecurity controls.

3. Is PCI Compliance Relevant to You?

The short answer is—yes, if you handle cardholder data and sensitive authentication data in any capacity. PCI compliance is relevant to you, even if you don’t store the payment information, even if you integrate with third-party payment providers, and even if your systems just high-five the payment token as it makes its way out of the consumer’s pocket and into your business account.

According to the PCI SSC, PCI DSS compliance is relevant to all merchants that accept card payments for goods and services. So whether you have a side drop shipping business that sells handcrafted pendants from Zanzibar, a digital course about creating a viable chocolate e-shop, or an online computer repair service—accepting card payments means you need to be compliant.

The good news is—the PCI SSC differentiates between merchants, according to the number of transactions the merchant processes.

The Four Levels of Merchants

  • Level 1: Processes over 6 million transactions per year
  • Level 2: Processes 1-6 million transactions per year
  • Level 3: Processes 20,000-1,000,000 transactions per year
  • Level 4: Processes less than 20,000 transactions per year

The scope of PCI compliance changes between the level of merchants, with level 1 merchants required to achieve the highest level of standards. If you store data in the cloud, you have to be especially careful, and depending on your deployment model, you will need to share varying degrees of responsibility with your cloud provider. You can also take advantage of a third-party service that will help you upload files securely to the cloud.

You should make sure that any products and services you use are certified at the required level and adhere to the highest payment security standards. So, even if your business belongs to any of the other merchant levels, you’ll enjoy an extensive, level 1 payment security ecosystem including payment fraud detection and protection.

4. What Are the Penalties for PCI Compliance Violations?

After reading the sections below, you should be able to determine whether PCI compliance is relevant to you or not. Chances are, if you’re selling something online, PCI compliance applies to you. You should know that PCI compliance is not optional for merchants. Any and all levels of merchants must comply with the PCI DSS regulations.

Merchants are subject to PCI audits and will be required to undergo investigations, at the will of the card payment brand, to ensure the continuous protection of the cardholders. That means card companies can and will investigate your business. If your business is found violating PCI DSS standards, you might get slapped with fines as low as $5,000 and up to $100,000.

5. How to Check the Status of Your PCI Compliance

It is up to you to determine the scope of the PCI compliance required of your business at its current merchant level. You own the responsibility and the power to ensure your business is covered and your customers’ payment data is protected.

There are a number of ways to check the status of your PCI compliance, including:

  • PCI Compliance Qualified Security Assessors (QSA)—professionals certified and trained for the purpose of evaluating the status of your PCI compliance, offer insights, and recommend solutions.
  • PCI Compliance Self-Assessment Questionnaire (SAQ)—a list of questions that can help you assess the status of your PCI compliance. Once you complete the SAQ you can submit it for review.

You can use the SAQ as an evaluation guide or hire an assessor. Either way, you need to submit a report that evaluates the scope of PCI compliance your business has achieved. Since PCI compliance can be complex for any business, it is recommended to:

  • Ensure that any system, software, or network you introduce into your digital operation offers as many PCI compliance controls as possible.
  • Continuously monitor and assess all your digital assets to ensure all payment information is protected.
  • Use data security controls such as encryption and tokenization to mask and render payment information useless for cybercriminals.

The Bottom Line—Are You PCI-Compliant?

Depending on the number of transactions your organization has to process, you will need to ensure that you are compliant with the PCI DSS. If you fail to meet the standards, you could end up facing significant legal and financial repercussions. To be on the safe side, I’d recommend taking advantage of services that are Level 1 PCI DSS certified, so that regardless of your company’s current size and obligations, you will be able to expand and ensure your customer’s payment card data is as secure as possible.