A Complete PCI DSS Compliance Guide for Mid-Sized Businesses [2022]

Today, almost every business handles payment processing, storage, or transmission of credit card data electronically. Be it eCommerce or retail, storing payment card data for subscription and recurring payments can make business much easier for both you and your customers. However, handling such data entails responsibility and a hefty expense for data protection.

Reasons to be PCI DSS compliant

• Control measures laid out in the PCI DSS reduce the risk of credit and debit card theft. It provides a secure environment for your business and customers, encouraging them to exchange PCI information and make recurring payments easily.
• PCI compliance is packed with best practices to detect, prevent, and remediate data breaches, thereby enhancing your organization’s data security.
• Becoming PCI compliant also protects an organization against data breaches if cardholder data is compromised. Visa, Mastercard, Discover, and American Express recognize PCI DSS compliant mid-sized businesses and actively promote information security practices.
• Failure to comply with PCI DSS comes at the cost of fines that may end your ability to conduct eCommerce, accept card payments, and online payments in the future.

Yes, if your company has to collect, store, or transfer PCI data, such as cardholder names or primary account numbers (PANs), then you must follow the PCI DSS rules without exception. However, if there is no PCI data in your Cardholder Data Environment (CDE), then PCI DSS compliance becomes optional.

Criteria for being PCI DSS compliant

The size of your business does not matter. What matters is the volume of debit or credit card payments your company receives annually.

Level 1 organizations require an external audit performed by a Qualified Security Assessor (QSA). Organizations in PCI Levels 2 through 4 can complete a self-assessment questionnaire (SAQ) instead of an external audit. They also need to submit an Attestation of Compliance (AOC).

Non-compliance to PCI DSS leads to several consequences, including:

Monthly penalties

PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by credit card companies. The volume of clients and transactions determines the level of PCI DSS compliance for a company and its corresponding penalties.

Data breaches

Although PCI DSS compliance does not prevent data breaches, organizations that fulfill PCI DSS requirements would incur lower fines. Whereas a business that is not PCI DSS compliant will have to face significant financial damages in a data breach:

• The average cost of a breach is $150 per record
• Costs of card replacement or issuing are between $3 to $10 per card
• Increased rates charged by banks and or processors
• Termination of merchant relationship with the credit card brands
• The lawsuit by the clients whose information got breached
• Security costs related to mandatory credit monitoring for customers whose data was compromised, identity theft repair, and so on
• The cost of conducting forensic investigations to discover the cause of the data breach

Legal action

You’ll likely face lawsuits in case any customer data gets compromised due to PCI DSS violations. In 2007, TJX Companies, best known as the holder of Marshalls and T.J. Maxx, had to pay $40.9 million for a data breach which put an estimated 100 million bank cards at risk.

Damaged reputation

Putting bank card information of clients at risk can result in irreversible damage to a company’s reputation, in addition to other related expenses incurred by the business. Failing to provide a safe and secure PCI environment will result in a lack of trust in your organization.

Revenue loss

Non-compliance with PCI can also indirectly lead to revenue loss. In 2013, Target was charged $18.4 million for a data breach that affected more than 41 million customers. It resulted in a $440-million-loss of revenue in the first quarter following the breach. Even big enterprises with years of reputation are vulnerable to such losses. So, the overall impact of being PCI non-compliant can be huge for mid-sized businesses.

In this section, we look at some of the key requirements that organizations need to fulfill for PCI DSS compliance.

PCI compliance checklist

1) Build and maintain a secure network and system

• Install and maintain a firewall configuration to protect cardholder data.
• Implement strong password management and other security features.
• Replace vendor-supplied default system passwords with stronger ones.

2) Protect cardholder data

• Encrypt cardholder data when in transit across open, public networks and when at rest.

3) Maintain a vulnerability management program

• Protect all systems against malware and update antivirus software or programs regularly.
• Develop and maintain secure systems and applications.

4) Implement strong access control measures

• Restrict access to cardholder data on a need-to-know basis.
• Identify and authenticate access to system components.
• Limit physical access to cardholder data.

5) Monitor and test networks

• Track and monitor all access to network resources and cardholder data.
• Test security systems and processes regularly.

6) Maintain an information security policy

• Maintain a policy that addresses information security for all personnel.

Step 1: Determine which PCI compliance level you belong to based on the number of annual transactions.

Step 2: Fill out the PCI compliance SAQ based on charts available on the PCI DSS official website.

Step 3: Investigate your payment technology.

• Look for the ability to create dedicated user accounts and logins. Consumer data should only be accessible to those who need it, and you should be able to track who sees what.
• Two-factor authentication and point-to-point encryption are other necessary security features.
• Change the default vendor settings.

Step 4: Create and document compliance processes.

Based on the SAQ and investigation of already existing payment technology, make amends to adhere more closely to the PCI DSS guidelines. Document the same in detail for future references.

Step 5: Complete your attestation of compliance.

AOC is a form that merchants use to record the successful completion of their PCI DSS assessment. In other words, an AOC is a paperwork that lets PCI SSC know you’re abiding by the rules. Be sure to have a qualified security assessor review your work so that they can confirm your findings.

Step 6: Prove your compliance with PCI standards with a vulnerability scan.

Step 7: Submit PCI compliance documentation.

Step 8: Track and test your systems.

The cost of getting PCI DSS certification depends on a lot of factors. One of the key factors that affect it is the level of compliance required and the environment in which your organization operates. An overview of the annual costs involved in implementing PCI DSS is as follows:

• Hiring QSA for GAP assessment: $50K
• Training around five engineers to help remediate issues: $120K-$125K
• New business controls: $50K-$150K
• External auditing: $20K-$45K
• Ongoing maintenance and revalidation: $200k-$350k
• The average annual cost for PCI Compliance: ~$720K 

Accounts receivable automation and the use of electronic, cloud-based solutions lead to efficient back-office operations, saving time and money. To ensure accounts receivable operational efficiency, the CDE of any organization, irrespective of its size, will have access to PCI data for recurring transactions. Without PCI DSS compliance, accounts receivable cannot be handled efficiently. Being PCI DSS compliant leads to faster and improved payment processing and a better customer experience. Hence, PCI DSS compliance has a noticeable positive impact on accounts receivable handling and related processes.

Being able to handle a customer’s card information securely provides an environment of trust and makes payment processing easier for businesses. In addition to online payment methods, a safe and secure CDE is imperative for most businesses today, irrespective of their transaction volume. Being PCI DSS compliant is one step to ensure that. Solutions like RadiusOne eInvoicing and Collections App minimize compliance risk with an in-built PCI DSS compliant payment gateway.