Posted by Tiffany Taylor and Alison Arthur on 10 Mar 2021
PCI DSS is a set of data security standards that apply to all organizations that store, process or transmit cardholder data. These standards were developed to help ensure that this sensitive data is handled safely and to help protect underlying cardholders. PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.
Who enforces PCI DSS?
The PCI Security Standards Council (PCI SSC) was formed by the major payment card brands (American Express, Discover, JCB, Mastercard, and Visa) to oversee and manage PCI DSS. However, the PCI SSC does not enforce PCI DSS—that responsibility falls to the payment card brands. Each card brand has specific requirements for validating merchant compliance and associated reporting standards.
But our business doesn’t store cardholder data. We work with a third-party vendor that does this on our behalf.
Even if your business doesn’t store cardholder data, PCI DSS still applies to the environment that transmits or processes cardholder data. This includes any service providers that store, process, or transmit cardholder data on your business’s behalf.
What is cardholder data?
At a minimum, cardholder data includes the full primary account number (PAN) that appears on the card. It can also include the full PAN plus the account holder’s name, expiration date, and/or the service code of the card.
How does PCI DSS apply to the software vendors that we use to accept payments?
The Payment Application Data Security Standard (PA-DSS) applies to software vendors and payment application vendors that store, process, or transmit cardholder data on behalf of third parties. The payment card brands encourage merchants to use payment solutions that are tested and approved by the PCI SSC; however, it’s important to note that using a third-party vendor doesn’t exclude the associated merchant from PCI DSS compliance. While it may reduce their scope of PCI DSS compliance, it won’t exclude them from it altogether.
How do the payment card brands enforce compliance with PCI DSS?
There are two primary tools that the payment card brands use to help ensure that merchants are PCI DSS compliant:
QSAs are approved by the PCI SSC and perform assessments of PCI DSS compliance. ASVs are also approved by the PCI SSC; however, they focus on performing vulnerability scans of both the merchant and the service provider environments that face the internet.
For eligible organizations, SAQ is a validation tool that merchants can use to perform self-assessments of their PCI DSS compliance.
What happens if our business doesn’t comply with PCI DSS?
Failure to comply can result in significant fines from the payment card brands. It’s important to note that the payment card brands will impose these fines on their member banking institutions, who will then pass these fines along to the responsible merchants. In some cases, these fines can lead to the cancellation of merchant accounts by their acquirers.
Is PCI DSS compliance a one-time thing?
No. Ensuring the security of your cardholder data is an ongoing endeavor that requires communication and teamwork between many disciplines. In addition, PCI DSS compliance is predicated upon validation levels that are set by the card brands and based upon transaction volume. As your business grows and changes over time, so might your PCI DSS validation level. In addition, industry requirements and card brand rules may change as well. It’s your business’s responsibility to be aware of these changes and react accordingly.
The Bottom Line: Accepting electronic payments opens businesses up to the possibility of fraud. PCI DSS compliance is an important piece of a larger data security and fraud prevention strategy. For more information on PCI DSS, please visit www.pcisecuritystandards.org.
If your business initiates web debit transactions, you will also want to know about the new Nacha WEB Debits operating rule, which requires bank account validation. Read more in Understanding the Nacha 2021 Rule Change.
*This is an update on an original post published May 2018