Revel Blog

What is PCI Compliance? A Guide to PCI Requirements & Standards

Julie Holkeboer | October 20, 2022 |

Advice
What is PCI Compliance? A Guide to PCI Requirements & Standards

PCI Compliance Explained

PCI compliance is one of the most important things you need to know as a business offering credit card services. Unfortunately, not all companies know about it, or if they do, they may fail to follow it.

The reality is that non-compliance leads to severe consequences that can impact your bottom line. More importantly, you’ll also be putting the privacy and security of your customers at risk.

Today, we’ll talk about payment card industry data security standard (PCI DSS) compliance, what it’s about, and how your company can become fully compliant with this standard.

What is PCI Compliance?

Anytime your business deals with credit card payments, it needs PCI DSS compliance (also referred to as simply PCI compliance).

PCI DSS is a set of rules and regulations that govern how credit card transactions must be handled by businesses that use them. The protocols describe how to safely and adequately process, store, and transmit credit card information whenever a customer decides to pay with their card at your company. The goal is to eliminate fraud and data theft.

PCI DSS certifications are handled by the PCI Security Standards Council or PCI SSC. This council is an independent body formed in 2006 by the top credit card providers in the world, including Visa, Mastercard, Discover, and American Express.

Because it deals with data security, PCI standards are usually left in the care of the IT department or, in bigger companies, a PCI compliance manager certified by the PCI SSC.

PCI credit card compliance revolves around a certain number of goals. The most important is building a secure network around cardholder data to prevent hacks and breaches. Companies should perform simple but crucial best practices like adequately configuring a firewall and implementing a robust password system. There should also be multiple layers of PCI security in your system, involving both virtual and physical protection.

When the cardholder data needs to be retrieved from your system, your business should implement robust access control measures. That means restricting only certain people to access credit card data and carefully monitoring them.

You should also know that PCI security standards are for any company that uses credit cards, and is not limited to just big businesses.

Why Following PCI Standards is Important for Your Business

PCI compliance saves you from headaches and hefty fines if you regularly deal with credit card transactions across your organization. 

Credit card fraud and theft are challenging issues. On a practical side, they cost money, time, and effort that's best spent elsewhere in your business. You then have to deal with the negative light they could cast on your business. Once people know your business as vulnerable to security breaches, they won't trust their card information with you as much. For companies that rely on online payments, this can be a massive blow to your revenue.

On top of this, you have PCI requirements violations to consider. If it is found that you fell short of proper PCI standards during a breach, you could be subject to steep fines from the organization that processed your credit card transactions according to ComplianceGuide.org.

The fact is that credit card theft can happen, even with PCI compliant companies. However, meeting PCI security standards  will help lessen or eliminate your liabilities. For smaller businesses, this is especially crucial.

The bottom line is that PCI compliance makes your company a much more trustworthy place to do business.

PCI Compliance Requirements and Levels

If your business uses any of the major credit cards from member providers in the PCI-SSC, then you need to be compliant.

PCI Compliance comes in four levels, each with its own PCI requirements. What level you need to qualify for will depend on the volume of transactions that your business sees, as well as several other factors. You need to understand which category your business fits into, or risk complying with the wrong one.

To pass, your company needs to comply with 100% of the requirements and submit them to your acquirer. Here are the compliance levels, from the lowest tier to the highest:


Level 4

Qualification:  Deals with companies that have transaction volumes of less than 1 million per year, or 20,000 for e-commerce transactions.

Requirements

  • Completed PCS-DSS Self-Assessment Questionnaire
  • Completed Attestation of Compliance 
  • A passed vulnerability scan with an Approved Scanning Vendor (ASV)

Level 3

Qualification:  E-commerce companies that do 20,000 – 1 million transactions per year.

Requirements

  • Completed PCS-DSS Self-Assessment Questionnaire
  • Completed Attestation of Compliance 
  • A passed vulnerability scan with an Approved Scanning Vendor (ASV)

Level 2

Qualification: Companies that do between 1 million to 6 million transactions in a year.

Requirements

  • Completed PCI-DSS Self-Assessment Questionnaire
  • Completed Attestation of Compliance 
  • A passed vulnerability scan with an Approved Scanning Vendor (ASV)

Level 1

Qualification:  The highest and strictest tier deals with companies that do more than 6 million transactions in a year. In addition, if a company has had a data breach in the past and/or is classified as a Level 1 merchant, they need to pass this PCI compliance level

Requirements

  • Proof of scan by an Approved Scan Vendor (ASV), done every quarter
  • Completed Attestation of Compliance 
  • Annual Report on Compliance (ROC) performed by a Qualified Security Assessor (QSA). Alternatively, the company can also do its own internal audit as proof.

Consequences for PCI Compliance Violations

Violating any of the rules of PCI compliance can result in severe penalties and fees.

While it's not signed into law, organizations that process credit card transactions have the ability to levy fines that range from $5,000 - $100,000 per month, depending on the severity of the case. These fees are levied on your bank, which in turn passes the costs on to you. They also have the power to increase your transaction fees or terminate contracts entirely.

In addition, the PCI SSC will make re-applying for PCI certification much more difficult. They will usually place you at a higher level, with more stringent PCI compliance requirements and application fees. In some cases, they can even disallow you from doing card transactions entirely.

Beyond problems with the PCI SSC, however, there are also long term damages that can happen to your business if it’s not 100% PCI compliant. Data breaches are serious issues, and you might find yourself at the losing end of a lawsuit. 

Data hacks can also be damaging to the profitability of your business. It’s possible that your customers’ credit card information is not the only one stolen from your company. In addition, the loss of confidence from your customers can negatively affect your reputation.

The bottom line is that non-compliance with PCI regulations is just an unsafe and bad way of doing business.

How to Remain PCI Compliant 

PCI compliance is not a one-time thing. With new standards being introduced and vulnerabilities being discovered, your company needs to stay on top of PCI data security standards. 

A big part of maintaining compliance is choosing a reputable payment processor that follows all of the PCI requirements themselves. Look for ones that offer data PCI security features like tokenization and encryption that protect credit card data while it’s being transmitted.

It’s also a good idea to store sensitive card information offsite in PCI-approved servers. That’s why payment processors that have support for cloud storage are highly preferred.

The PCI SSC also requires you to maintain your compliance, and doing so requires the completion of certain programs. The cost of these programs depends on the level of compliance that your specific business will need. PCI SSC provides information on program fee schedules and certifications on their website.

Become PCI Compliant with Revel Systems

If you find PCI compliance for your business is a pain, you’re not alone. The good news is that Revel System's cloud POS system is fully compliant with the PCI DSS standard. 

Revel is a POS platform built natively in the cloud with PCI security in mind, and we're proud to be featured on the PCI Security Standards Council's list of participating organizations. As a participating member of the community, Revel is able to play an active role in helping secure the future of payments alongside other payments industry stakeholders.

We also use the EMV (Europay, Mastercard, Visa) standard to ensure that all of your credit card data is secure with each transaction. Its unique code mechanism means it's impossible to hack or counterfeit.  

PCI compliance is a vital but tedious process for any business to follow. Luckily, with Revel Systems, you have the tools necessary to keep your customers safe. Get in touch with us today to schedule a free demo and see how our platform can make a difference for your business.