What is PCI compliance and do I need to be PCI compliant?


· 17th November 2021·Wordpress Security, Online payments

Estimated read time 7 minutes


Credit card businesses must adhere to PCI compliance to help protect the safety of credit card transactions in the financial system. Payment card industry compliance refers to firms' technical and operational requirements to safeguard and preserve cardholder data supplied during card processing operations. The PCI Security Standards Council develops and manages PCI compliance standards.

What is PCI compliance and do I need to be PCI compliant?

PCI Compliance: What Is It?

Credit card businesses must adhere to PCI compliance to help protect the safety of credit card transactions in the financial system. Payment card industry compliance refers to firms' technical and operational requirements to safeguard and preserve cardholder data supplied during card processing operations. The PCI Security Standards Council develops and manages PCI compliance standards.

Understanding PCI Compliance

Credit card processing is regulated by the Federal Trade Commission (FTC) since it comes under consumer protection and regulation. While there is no legislative compulsion for PCI compliance, it is viewed as required under court precedent.

PCI compliance, in general, is a critical component of every credit card company's security process. Credit card firms often require it, and it is mentioned in credit card network agreements.

The PCI Requirements Council is responsible for developing PCI compliance standards. These standards apply to merchant processing and have been enhanced to include requirements for encrypted Internet transactions. Other significant institutions involved in the credit card industry's standard-setting process are the Card Association Network and the National Automated Clearing House (NACHA).

What if I'm not PCI compliant?

While PCI compliance is mandatory, some company owners question whether they may avoid the standards - this is an unethical and possibly disastrous idea. If you are not PCI compliant, you are risking the security of your consumers and company. Without the safeguards provided by PCI compliance, your firm may be exposed to expensive assaults and data breaches.

If a data breach happens and your organization is not PCI compliant, you may be subject to penalties and fines ranging from $5,000 to $500,000. However, penalties are just the beginning of the harm inflicted by non-compliance. If you are not PCI compliant, you risk losing your merchant account, which would prevent you from accepting credit card payments altogether. Additionally, your firm may be included on the Member Alert to Control High-Risk Merchants (MATCH) List, making you ineligible for many years to establish a new merchant account.

Additionally, a data breach might result in thousands of dollars in damages, a loss of consumer respect and confidence, and a loss of your brand. Due to the range of penalties associated with non-PCI compliance, it is always wise to be as completely compliant as possible to avoid costly fines and other damages.

What are the 12 requirements for PCI DSS compliance?

Install and Maintain Firewalls

Firewalls effectively deny access to private data to outside or unknown organizations. These precautions are often the first line of protection against hackers (malicious or otherwise). Due to their capability in preventing unauthorized access, firewalls are necessary for PCI DSS compliance.

Effective Password Protection

Routers, modems, point-of-sale (POS) systems, and other third-party goods often include generic passwords and security mechanisms readily accessible to the general public. Businesses often fail to protect these vulnerabilities. Maintaining compliance in this area involves maintaining a list of all password-protected devices and applications (or other security to access). With a device/password inventory, essential protection and setups should be implemented (e.g., changing the password).

Protect The Data Of The Cardholder

The third PCI DSS compliance obligation is to secure cardholder data in two ways. Cardholder data must be encrypted using a particular algorithm. These encryptions are implemented using encryption keys — which must likewise be encrypted for compliance purposes. Regularly maintaining and scanning primary account numbers (PAN) is necessary to verify that no unencrypted data exists.

Encrypt Transmitted Data

Cardholder data is sent through various conventional routes (i.e., payment processors, home offices from local stores, etc.). When this data is transferred to these known destinations, it must be encrypted. Additionally, account numbers should never be given to unknown sites.

Use And Maintain Anti-Virus

Outside of PCI DSS compliance, using anti-virus software is an intelligent practice. All devices that interact with and store PAN, however, must have anti-virus software installed. This software should be patched and updated regularly. Additionally, your point-of-sale supplier should use anti-virus protection in areas where it cannot be deployed directly.

Updated Software

Firewalls and anti-virus software will need to be updated regularly. Additionally, it is wise to keep all software in a corporation up to date. The majority of software programs incorporate security measures, such as patches to address newly identified vulnerabilities, as part of their updates, providing an additional layer of protection. These upgrades are significant for any software running on devices that interact with or store cardholder data.

Restrict Access To Data

Cardholder information must be strictly "need to know." All employees, executives, and third parties who do not need this information should be denied access. The responsibilities that need sensitive data should be well documented and updated regularly, as PCI DSS requires.

Unique Access Codes

Employees who do have access to cardholder data should be identified and each have their separate credentials. For example, the encrypted data should not be accessed through a single login, with several workers knowing the username and password. Unique identifiers reduce susceptibility and provide for a faster reaction time if data is compromised.

Limit Access On A Physical Level

Any data about cardholders must be physically stored in a safe area. Physically written or typed data and data stored digitally (e.g., on a hard drive) should be secured in a safe room, drawer, or cabinet. Not only should access be restricted, but whenever sensitive data is accessed, a record should be maintained to ensure compliance.

Manage Access Logs

All transactions involving cardholder data and primary account numbers (PANs) must be recorded. Perhaps the most prevalent non-compliance concern is a lack of sufficient record keeping and documentation for sensitive data access. Compliance requires tracking the flow of data entering your company and the frequency with which access is required. Additionally, software tools that track access are necessary to ensure accuracy.

Vulnerabilities Scan And Test

Each of the preceding ten compliance criteria requires the use of many software products, physical locations, and personnel. Numerous items may fail to operate correctly, become outdated, or be subject to human mistakes. We can mitigate these risks by adhering to the PCI DSS criteria for regular scans and vulnerability testing.

Policies Regarding Documents

Compliance will need documentation of the equipment, software, and workers who have access. Additionally, records of cardholder data access will require documentation. It will also be necessary to record how information enters your business, where it is held, and utilized beyond the sale point.

Advantages of PCI Compliance

Compliance advantages include a decreased risk of data breaches, the protection of cardholder data, and identity theft avoidance. Compliance is a best practice for businesses because it minimizes penalties associated with data breaches, benefits a firm's brand reputation, and ensures that consumers are satisfied and confident that they are doing business with a responsible company, resulting in brand loyalty.

All businesses that accept credit card information are obliged under their card processing agreements to maintain PCI compliance. PCI compliance is the industry standard, and businesses that do not adhere to it risk incurring significant penalties for contract breaches and carelessness. Companies that are not PCI compliant are also very exposed to theft, fraud, and data breaches.

At Fixed.net we would strongly recommend that you never touch card data. That means, use a provider like Stripe or Braintree where the card data is tokenised. Card data is not stored by you, and it is not even seen by you. A customer enters the details using an embedded widget from the payment provider website.

PCI Compliance and WordPress

WordPress is open source software and does not have a payment system built in. Instead, payment systems are bundled with plugins such as WooCommerce. These plugins usually have the ability to associate third party gateways like Stripe. If you choose a gateway where you do not touch the card data, then you do not need to be PCI Compliant.

PCI Compliance and WooCommerce

WooCommerce comes with a number of bundled payment options and you can extend it with third party plugins. We go into payment options in various other guides on this blog. However the vast majority of Fixed subscribers tend to use a combination of Stripe and PayPal.

Are there difference levels of PCI compliance?

Yes. There are four levels of PCI compliance. These come down to the volume of transactions you process.

Level 1: Merchants that process over 6 million card transactions annually. Level 2: Merchants that process 1 to 6 million transactions annually. Level 3: Merchants that process 20,000 to 1 million transactions annually. Level 4: Merchants that process fewer than 20,000 transactions annually.

I am just starting to take payments. What gateway should I choose?

We strongly recommend Stripe as a payment gateway. It is very easy to setup and there are excellent WooCommerce plugins that integrate it.

Seb de Lemos