PCI DSS Compliance Guide: UK Costs & Checklist

PCI DSS Compliance Guide: UK Costs & Checklist

PCI compliance is a requirement for any business that accepts cards; but why it exists, how much it costs and how to achieve compliance isn’t often that clear. Read on to get a simple explanation and stop worrying about PCI.

Payment methods have changed over the years. Whereas once upon a time, everyone paid for small purchases with cash and large ones with a check, today payments are largely plastic. Bank cards and credit cards are convenient for the consumer while new technology helps businesses like yours access the funds from those transactions easily – but there is a big potential drawback.

Payment information can be compromised. To this end, the biggest credit card companies in the world banded together to create a security standard. It is called Payment Card Industry Data Security Standard (PCI DSS).

What is PCI Compliance?

The PCI DSS outlines requirements for the way that you store, process, and submit card-based transactions. These parameters are meant to help prevent fraud and keep information secure enough to deter data breaches. While there is no absolute prevention for data breaches – even some of the biggest brands have been hit with a security issue – meeting the PCI standard helps defend against hackers and others who may access payment card information with malicious intent.

However, PCI Compliance is not a certification per se – in fact, there is no “PCI Certification” – but if you process credit card information, you need to prove that your business is compliant with the PCI standard.

Determining PCI Compliance

The PCI Security Standards Council publishes a PCI DSS Self-Assessment Questionnaire. It ranges from 19 to 87 pages depending on your company’s unique profile. In general, these are the elements you need in order to be PCI compliant. However, this is an overview. Make sure to fill out the PCI Compliance checklist for your business.

PCI Compliance Checklist

  1. Use a firewall to protect cardholder data.
  2. Avoid using vendor-supplied user names and passwords.
  3. Have measures in place to protect stored payment card information.
  4. Encrypt cardholder data before transmitting it over any network that is open or public.
  5. Maintain anti-virus protection on devices that access cardholder data.
  6. Keep systems and applications secure.
  7. Restrict access to cardholder information to those who need to know.
  8. Provide each person who does have access with a unique user identification to be able to assign accountability.
  9. Prevent any physical access to payment card data.
  10. Monitor access to cardholder information.
  11. Perform regular security tests to analyze systems and processes.
  12. Develop a security policy and make sure all employees know the procedure.

In some cases, you may not need to fill out the PCI Compliance Checklist to verify that your company is in compliance. For instance, if you have an ecommerce store and use a payment processor that is built into your store site, the onus of proving PCI Compliance may be on the provider.

PCI Compliance Levels

There are four levels of PCI Compliance. These are based on your total annual transaction volume.

PCI Compliance LevelApplies toPCI Requirements
Level 1Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region.

Every year:

File a Report on Compliance ("ROC") by Qualified Security Assessor ("QSA")” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor ("ISA") certification.
Submit an Attestation of Compliance ("AOC") Form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV").
Level 2Merchants processing 1 million to 6 million Visa transactions annually across all channelsEvery year:

Complete a Self-Assessment Questionnaire ("SAQ").
Submit an Attestation of Compliance ("AOC") Form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV").
Level 3Merchants processing 20,000 to 1 million Visa e-commerce transactions annuallyEvery year:

Complete a Self-Assessment Questionnaire ("SAQ").
Submit an Attestation of Compliance ("AOC") Form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV").
Level 4Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.Every year:

Complete a Self-Assessment Questionnaire ("SAQ").
Submit an Attestation of Compliance ("AOC") Form.

Every quarter:

Conduct a quarterly network scan by an Approved Scan Vendor ("ASV") (if applicable).

Consequences of Non-Compliance

If your company is not PCI compliant, you can expect to pay a premium for card processing. “It’s the responsibility of individual processors to validate compliance, so each processor chooses whether to charge a PCI non-compliance fee, and if so, how much the fee is,” explains CardFellow. “PCI non-compliance fees typically range from $10 to $30 a month, but can go as high as $100 a month for processors interested in leveraging the fee for excessive profits.” For instance, credit card issuers Visa and MasterCard do not charge noncompliance fees but processors still may. Processor noncompliance charges are usually paid per month, although some processors may charge an annual fee.

There may also be fines. If the lack of PCI compliance leads to a data breach or a security issue, the credit card issuer will charge a compliance fine. While these are one-time charges, they are typically significant.

On top of all this, there are the costs associated with data breaches that you will need to consider if you choose to be noncompliant with the PCI standard. In addition to fines, this could include forensic audits, damage to your brand, and more.

Fees and Service Charges

The costs of being PCI compliant vary considerably depending on your industry and the size of your company. Square estimates that the cost ranges from $1,000 to more than $50,000 per year.

Benefits of PCI Compliance

While being PCI compliant comes with certain costs, the benefits are significant. Aside from being able to avoid noncompliance fees, prevent compliance fines, and remove the costs your company will have to endure after a data breach, there is something to be said for being able to prove that your company takes data security seriously. For one, PCI compliance can help your customers feel more secure about patronizing your business because they know you hold your data security to a set standard. In addition, PCI compliance can benefit your company’s reputation amongst financial institutions. It proves that your business cares about keeping financial information secure.

Takeaway

PCI Compliance is a part of doing business. By holding the way you handle payment card data to a set standard, you help keep your customers’ information protected and prevent having to pay additional credit card processing fees monthly. While there are costs associated with meeting the PCI standard, the safeguards it demands are really just good business. Your customers will appreciate your commitment to data security and it could help financial institutions take your company more seriously.