Custom Image

A Complete PCI DSS Compliance Guide for Mid-Sized Businesses [2022]

What you’ll learn


  • Learn the importance of PCI DSS compliance for mid-sized businesses.
  • Understand the criteria and levels of PCI DSS compliance.
  • Explore how to become PCI DSS compliant and the costs associated with it.

Feature image of PCI DSS Compliance

You feel violated. Anger. There’s anger. For me, there’s anger. Some of the other people I talked to are afraid. I get mad. Somebody. Some clown stole from me

- Greg Scott, Credit Card Fraud Victim.

Credit card fraud remains the most common type of identity theft in the U.S., accounting for over 40 percent of all identity theft cases. A total of 271,823 cases were recorded in 2019, more than double the number reported in 2017.

Now, if you were an organization handling customers’ payments via cards or other electronic channels, you wouldn’t want them to feel violated, angry, or afraid, right?

All organizations want their customers to feel safe and protected. To provide a safe and secure environment for card-based transactions, a company needs to comply with the guidelines set up by the Payment Card Industry - Security Standards Council (PCI SSC). These guidelines are referred to as the Payment Card Industry - Data Security Standard (PCI DSS).

A graphic showing five leading payment card brands that formed PCI SSC.

What is PCI DSS compliance?

In this section, we’ll look at how PCI DSS has evolved over time to improve the security of card transactions.

A brief history of PCI DSS

With the rise in credit card fraud, the leading payment card brands such as American Express, VISA, MasterCard, JCB International, and Discover decided to set up a council in 2004. This council is referred to as the PCI SSC and the security guidelines set up by them are known as the PCI DSS.

PCI SSC is responsible for developing, enhancing, and disseminating international security standards for credit cards.

PCI DSS helps prevent payment card fraud and ensures that consumers’ personal information remains secure when merchants and service providers work with payment card data.

PCI DSS compliance

All companies that store, handle, or transfer cardholder data are subject to the PCI DSS. It is also applicable to all security service providers who protect cardholder data, such as a firewall management service. Even mid-sized businesses that collect, transmit, or store payment card data must abide by the PCI DSS requirements.

Why is PCI DSS compliance important?

Today, almost every business handles payment processing, storage, or transmission of credit card data electronically. Be it eCommerce or retail, storing payment card data for subscription and recurring payments can make business much easier for both you and your customers. However, handling such data entails responsibility and a hefty expense for data protection.

Reasons to be PCI DSS compliant

  • Control measures laid out in the PCI DSS reduce the risk of credit and debit card theft. It provides a secure environment for your business and customers, encouraging them to exchange PCI information and make recurring payments easily.
  • PCI compliance is packed with best practices to detect, prevent, and remediate data breaches, thereby enhancing your organization’s data security.
  • Becoming PCI compliant also protects an organization against data breaches if cardholder data is compromised. Visa, Mastercard, Discover, and American Express recognize PCI DSS compliant mid-sized businesses and actively promote information security practices.
  • Failure to comply with PCI DSS comes at the cost of fines that may end your ability to conduct eCommerce, accept card payments, and online payments in the future.

Do mid-sized businesses require to be PCI DSS compliant?

Yes, if your company has to collect, store, or transfer PCI data, such as cardholder names or primary account numbers (PANs), then you must follow the PCI DSS rules without exception. However, if there is no PCI data in your Cardholder Data Environment (CDE), then PCI DSS compliance becomes optional.

Criteria for being PCI DSS compliant

The size of your business does not matter. What matters is the volume of debit or credit card payments your company receives annually.

A graphic showing the four PCI DSS Compliance levels.

Level 1 organizations require an external audit performed by a Qualified Security Assessor (QSA). Organizations in PCI Levels 2 through 4 can complete a self-assessment questionnaire (SAQ) instead of an external audit. They also need to submit an Attestation of Compliance (AOC).

Consequences of non-compliance to PCI DSS

Non-compliance to PCI DSS leads to several consequences, including:

Monthly penalties

PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by credit card companies. The volume of clients and transactions determines the level of PCI DSS compliance for a company and its corresponding penalties.

Data breaches

Although PCI DSS compliance does not prevent data breaches, organizations that fulfill PCI DSS requirements would incur lower fines. Whereas a business that is not PCI DSS compliant will have to face significant financial damages in a data breach:

  • The average cost of a breach is $150 per record
  • Costs of card replacement or issuing are between $3 to $10 per card
  • Increased rates charged by banks and or processors
  • Termination of merchant relationship with the credit card brands
  • The lawsuit by the clients whose information got breached
  • Security costs related to mandatory credit monitoring for customers whose data was compromised, identity theft repair, and so on
  • The cost of conducting forensic investigations to discover the cause of the data breach

Legal action

You’ll likely face lawsuits in case any customer data gets compromised due to PCI DSS violations. In 2007, TJX Companies, best known as the holder of Marshalls and T.J. Maxx, had to pay $40.9 million for a data breach which put an estimated 100 million bank cards at risk.

Damaged reputation

Putting bank card information of clients at risk can result in irreversible damage to a company’s reputation, in addition to other related expenses incurred by the business. Failing to provide a safe and secure PCI environment will result in a lack of trust in your organization.

Revenue loss

Non-compliance with PCI can also indirectly lead to revenue loss. In 2013, Target was charged $18.4 million for a data breach that affected more than 41 million customers. It resulted in a $440-million-loss of revenue in the first quarter following the breach. Even big enterprises with years of reputation are vulnerable to such losses. So, the overall impact of being PCI non-compliant can be huge for mid-sized businesses.

What are the requirements for PCI DSS compliance?

In this section, we look at some of the key requirements that organizations need to fulfill for PCI DSS compliance.

PCI compliance checklist

1) Build and maintain a secure network and system

  • Install and maintain a firewall configuration to protect cardholder data.
  • Implement strong password management and other security features.
  • Replace vendor-supplied default system passwords with stronger ones.

2) Protect cardholder data

  • Encrypt cardholder data when in transit across open, public networks and when at rest.

3) Maintain a vulnerability management program

  • Protect all systems against malware and update antivirus software or programs regularly.
  • Develop and maintain secure systems and applications.

4) Implement strong access control measures

  • Restrict access to cardholder data on a need-to-know basis.
  • Identify and authenticate access to system components.
  • Limit physical access to cardholder data.

5) Monitor and test networks

  • Track and monitor all access to network resources and cardholder data.
  • Test security systems and processes regularly.

6) Maintain an information security policy

  • Maintain a policy that addresses information security for all personnel.

A step-by-step guide to getting PCI compliance for your mid-sized business

Step 1: Determine which PCI compliance level you belong to based on the number of annual transactions.

Step 2: Fill out the PCI compliance SAQ based on charts available on the PCI DSS official website.

Step 3: Investigate your payment technology.

  • Look for the ability to create dedicated user accounts and logins. Consumer data should only be accessible to those who need it, and you should be able to track who sees what.
  • Two-factor authentication and point-to-point encryption are other necessary security features.
  • Change the default vendor settings.

Step 4: Create and document compliance processes.

Based on the SAQ and investigation of already existing payment technology, make amends to adhere more closely to the PCI DSS guidelines. Document the same in detail for future references.

Step 5: Complete your attestation of compliance.

AOC is a form that merchants use to record the successful completion of their PCI DSS assessment. In other words, an AOC is a paperwork that lets PCI SSC know you’re abiding by the rules. Be sure to have a qualified security assessor review your work so that they can confirm your findings.

Step 6: Prove your compliance with PCI standards with a vulnerability scan.

Step 7: Submit PCI compliance documentation.

Step 8: Track and test your systems.

How much is the implementation cost of PCI DSS compliance?

The cost of getting PCI DSS certification depends on a lot of factors. One of the key factors that affect it is the level of compliance required and the environment in which your organization operates. An overview of the annual costs involved in implementing PCI DSS is as follows:

  • Hiring QSA for GAP assessment: $50K
  • Training around five engineers to help remediate issues: $120K-$125K
  • New business controls: $50K-$150K
  • External auditing: $20K-$45K
  • Ongoing maintenance and revalidation: $200k-$350k
  • The average annual cost for PCI Compliance: ~$720K 

Impact of PCI DSS compliance on your accounts receivable

Accounts receivable automation and the use of electronic, cloud-based solutions lead to efficient back-office operations, saving time and money. To ensure accounts receivable operational efficiency, the CDE of any organization, irrespective of its size, will have access to PCI data for recurring transactions. Without PCI DSS compliance, accounts receivable cannot be handled efficiently. Being PCI DSS compliant leads to faster and improved payment processing and a better customer experience. Hence, PCI DSS compliance has a noticeable positive impact on accounts receivable handling and related processes.

Conclusion

Being able to handle a customer’s card information securely provides an environment of trust and makes payment processing easier for businesses. In addition to online payment methods, a safe and secure CDE is imperative for most businesses today, irrespective of their transaction volume. Being PCI DSS compliant is one step to ensure that. Solutions like RadiusOne eInvoicing and Collections App minimize compliance risk with an in-built PCI DSS compliant payment gateway.

Recommendations

What Is ACH Credit, and How Do ACH Credit Transactions Work?

What Is a Credit Dispute Letter and Its Different Types?

5 CFO Reporting Challenges and How Can You Overcome Them?

There's no time like the present

Get a Demo of RadiusOne A/R Suite for Your Business

Request a Demo
Request Demo Character Man

The HighRadius RadiusOne AR Suite is a complete accounts receivable solution designed for mid-sized businesses and SMBs to automate eInvoicing, Collections, Cash Reconciliation, and Credit Risk Management to enable faster cash conversion and maximize working capital.

It is quick to deploy and ready to integrate with ERPs like Oracle NetSuite, Sage Intacct, MS Dynamics, and scales to meet the needs of your order-to-cash process.

Lightning-fast Remote Deployment | Minimal IT Dependency
Prepackaged Modules with Industry-Specific Best Practices.

See RadiusOne AR Suite in Action Today