In this short series we provide you with useful facts about the Payment Card Industry Data Security Standard. Be well informed on your PCI DSS certification.
When is a company PCI DSS complaint?
A company achieves PCI DSS compliance (or: conformity) if it meets all PCI DSS requirements that apply to it. While there is no legal requirement for PCI DSS compliance, all companies that store, process, or transmit credit card data must comply with the standard. Once a year, a company must also formally validate PCI DSS compliance, also referred to as PCI DSS certification, which is valid for one year at a time. This requirement comes directly from the credit card organizations themselves. Initially, the credit card schemes obligate merchant banks and credit card processors to enforce compliance among their customers. Credit card processors are service providers that mediate between merchant banks (acquirers) and banks that issue credit cards to end customers (issuers) and thus take over the administration of credit card transactions.
How compliance is enforced
Credit card processors and acquirers are contractually obligated by the credit card organizations to ensure that an agreed minimum percentage of their merchant customers achieve PCI DSS compliance. They must regularly report these compliance rates to the credit card organizations. Usually, credit card processors and acquirers pass the compliance obligation on to their customers via a credit card acceptance agreement. In the next step, customers obligate their service providers, if they use any, to work compliantly with PCI DSS and to provide proof of this. Your contractual situation with your acquirer and the connected credit card processors is ultimately the decisive factor in determining whether you have to validate your PCI DSS compliance.
PCI DSS Compliance and outsourcing to Service Providers
In the context of PCI DSS, companies that render services involving processing credit card data or having access to this data to merchants or banks are categorized as Service Providers. These include, for example, network operators, service providers who provide certain services for acquirers and issuers, web hosting providers for online portals or IT service providers that operate server infrastructure or corporate firewalls.
Companies that have outsourced the entire processing of credit card transactions to a service provider must also prove their PCI DSS compliance. However, the scope of the certification is usually greatly reduced for these companies. With their certification, they document that their chosen service provider is PCI DSS compliant and that they regularly check its compliance status. The credit card organizations MasterCard and Visa have published a list of PCI DSS-compliant service providers on the internet under the following links:
Alternatively, a company can also request proof of PCI DSS compliance diectly from its service providers.
What are the possible consequences of non-compliance with PCI DSS?
If credit card data is compromised, credit card organizations may, at their discretion, impose massive fines on an acquirer if it is found that PCI compliance had been violated at the time of the incident. These penalties will most likely be passed on by the acquirer to the customer who suffered the compromise. It is also likely that the acquirer will terminate the credit card acceptance agreement with this merchant or significantly increase transaction fees. Such sanctions can quickly threaten the existence of companies of any size. In addition, a company is liable if its customers’ credit card data is stolen or abused.
Companies that have achieved PCI DSS compliance and have validated that they comply with it are protected by a “Safe Harbor Rule”. In the event of data theft or abuse, these companies can expect partial or complete exemption from fines from the credit card organizations or their acquirer following a forensic investigation.
Do you have questions or need assistance with your PCI compliance project? Contact us, we will be happy to help you.