Any business that stores, transmits, or processes payment card data has a responsibility to ensure that those transactions are secure. The Payment Card Industry Data Security Standard (PCI DSS) has a path for that.
The PCI DSS issued a set of 12 high-level requirements known as the PCI compliance checklist. These requirements apply to merchants of all sizes that accept consumer credit and debit cards. At its core, the PCI compliance checklist is designed to protect consumer card data from fraud and data breaches. Although the requirements mandated by PCI DSS are not law, there are hefty fees and fines for non-compliance.
Here is an overview of the checklist requirements that payment card companies require merchants to to comply with in order to protect customer financial information:
An organization that is PCI compliant has committed to keeping cardholder data secure and safe from data breaches and fraud.
Although there is no official certification, merchants that accept cardholder data must prove to payment card companies that they have systems in place to identify cyberthreats, remediate vulnerabilities, and report breaches before they cause significant financial damage.
There is also another element called PIN Transaction Security (PTS), requiring financial institutions and merchants to use payment processing devices that have been tested and approved to process card transactions.
The Payment Application Data Security Standard (PA-DSS) mandates that payment processing software be tested and approved as secure.
PCI DSS compliance is a continuous process that takes place on three different levels.
All of these processes mirror cybersecurity best practices and have overlapping features inherent to other compliance regulations, such as GDPR, for example.
In addition to the consumer, there are typically three major players involved in the card payment process: the payment brands (Visa, MasterCard, American Express, etc.), the acquiring bank, and the merchant.
If non-compliance is discovered, the payment brands may fine the acquiring banks anywhere from $5,000-$100,000 per month—most of which is passed down the line, ultimately impacting the merchant in the form of increased fees and transaction costs. In some instances, the bank may decide to terminate the relationship with the merchant.
Financial damages attributed directly to cybercrime are expected to reach $6 trillion annually by 2021.
To shed some light on that number, it is larger than the annual GDP of Japan, which has the third largest economy in the world after the U.S. and China.
Businesses that handle payment card transactions—financial organizations and retail—are the most targeted groups by cybercriminals, according to a 2017 Verizon report.
The virulence of this type of crime, which is persistent and getting worse in both the number of incidents and the financial costs to enterprises, highlights the urgency of compliance with the 12-point checklist.
If trends in the cybercrime landscape continue to escalate at the current pace—and consumers begin to lose confidence in the safety of their card data—it’s foreseeable in the near future that best practices associated with the PCI DSS compliance checklist will be inherently woven into payment processor business models to stem financial losses, if nothing else.