Top 5 Questions About PCI DSS Report On Compliance Answered

PCI DSS meaning

PCI DSS is a cybersecurity standard backed by all the major credit card and payment processing companies that aims to keep credit and debit card numbers safe. PCI DSS stands for Payment Card Industry Data Security Standard. The standard, which is administered by the Payment Card Industry Security Standards Council, establishes cybersecurity controls and business practices that any company that accepts credit card payments must implement.

Companies can demonstrate that they've implemented the standard by meeting the reporting requirements laid out by the standard; those organizations that fail to meet the requirements, or who are found to be in violation of the standard, may be fined.

What is PCI DSS used for?

Credit and debit card numbers are probably the most valuable sequences of digits around: anyone with access to them can immediately make fraudulent purchases and drain money from user accounts.

Because banks and other credit card issuers will generally refund their customers in these situations, they have a vested interest in ensuring that credit card numbers remain secure as they are transmitted across the economic ecosystem.

The PCI Security Standards Council was created by these industry players to make sure that transactions involving credit card numbers are secure as possible.

Who does PCI DSS apply to?

PCI DSS is the most wide-ranging of the Council's standards. It applies to "any entity that stores, processes, and/or transmits cardholder data," which means that any organization that accepts credit card payments — which is to say, virtually any organization that sells anything or accepts donations — must adhere to the standard.

Compliance with PCI DSS represents a baseline of security and is certainly not a is not a guarantee against being hacked. As we'll see, compliance can be quite complex, and it's difficult to say with certainty that every aspect of an organization's security is compliant 100% of the time. Getting helped from a certified PCI QSA company, such as ERMProtect, will help your organization stay compliant by conducting PCI audits.

Some have argued that the credit card and payment companies that make up the PCI Security Standards Council use PCI DSS to shift security responsibilities and the financial burden of breaches onto retailers.

When did PCI DSS become mandatory?

PCI DSS compliance became mandatory with the rollout of version 1.0 of the standard on December 15, 2004. (PCI DSS 3.2 is the current version of the standard, and 4.0 is in the works.) But we should pause here to talk about what we mean by "mandatory" in this context. PCI DSS is a security standard, not a law. Compliance with it is mandated by the contracts that merchants sign with the card brands (Visa, MasterCard, etc.) and with the banks that actually handle their payment processing.

And, as we'll see, for most company’s compliance with the standard is achieved by filling out self-reported questionnaires. For those merchants, PCI DSS compliance mainly becomes "mandatory" in retrospect: if a breach occurs that can be traced back to a failure to implement the standard correctly, the merchant can be sanctioned by their payment processors and the card brands.

Merchants may be required to undergo (and pay for) an assessment by a PCI QSA company to ensure that they've improved their security, which we'll discuss in more detail later in this article; they may also be required to pay fines. Very large companies may be required to undergo PCI certification assessments conducted by third parties even if they haven't suffered a breach.

Can you get fined?

When merchants sign a contract with a payment processor, they agree to be subject to fines if they fail to maintain PCI DSS compliance. Fines can vary from payment processor to payment processor and are larger for companies with a higher volume of payments.

For instance, fines are assessed per month of non-compliance and the per-month charge increases for longer periods, so a company might pay $5,000 a month if they're out of compliance for three months, but $50,000 a month if they go as long as seven months.

What does it mean to be PCI DSS compliant?

PCI DSS compliance comes from meeting the obligations laid down by these requirements in the way best suited to your organization, and the PCI Security Standards Council gives you the tools to do so.

What’s the difference between a PCI DSS certification vs PCI DSS assessment?

How can you become PCI DSS certified? The cheeky and succinct answer is that you can't: there's no such thing, in the world of PCI DSS, as "certification." As we've discussed, the most common means of showing compliance with the PCI DSS is by completing the appropriate questionnaire and completing an attestation of compliance (AOC). This process is known as self-assessment. Larger merchants (>6 million transactions a year) and third-party service providers must hire certified PCI Quality Assessors (PCI QSAs) to assess whether the organization is complying with nearly 400 required IT security controls. Organizations often share their PCI QSA certification results with the card brands, business partners and bank processors.  ERMProtect is a certified PCI QSA company with years of training and all the certifications required to conduct PCI audits to ensure organizations are secure. A list of other companies can be found on the PCI Security Council

Get a Quote

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

How Merchants Can Become PCI-DSS Certified

Follow These 4 Steps to Achieve PCI DSS Certification

For all organizations that process payment cards, the Payment Card Industry Data Security Standard (PCI-DSS) certification is high up the data security and compliance priority list …
ai in penetration testing

How Will AI Change Penetration Testing?

There’s a strong application of AI in penetration testing on the horizon, but the future of penetration testing will be a hybrid approach of human brain & AI …
Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Vetoes Cybersecurity “Safe Harbor” Bill

Florida Governor Ron DeSantis vetoed HB 473, a bill that would have extended “safe harbor” from data breach litigation to businesses compliant with certain industry-recognized cybersecurity standards …