PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
Companies can maintain PCI DSS compliance either by conducting a self-assessment or through a third-party auditor, depending on the nature of their business and their required level of PCI compliance.
Many companies choose to outsource the handling and storage of sensitive card data to a partner.
That said, many companies feel it’s not worth investing the time and resources necessary to maintain PCI compliance on their own, so they choose to outsource the handling and storage of card data to a partner (more on this later).
If you’re curious about whether and how to become PCI DSS compliant, this guide is for you. In it, we’ll address the following questions:
Payment Card Industry Data Security Standard (PCI DSS) is a list of compliance obligations you must satisfy if you handle cardholder data and/or sensitive authentication data.
“Cardholder data” includes the following:
“Sensitive authentication data” includes the following:
Back in 2004, in an attempt to slow the rise of card fraud, five leading credit-card networks collaborated to design and implement PCI DSS 1.0. Their goal was to ensure that all businesses that handle credit card information maintain a secure environment. Since then, there have been three more versions; the most recent, version 4.0, was released in March 2022.
PCI DSS compliance requirements apply to all entities that handle card data from Visa, Mastercard, Discover, American Express, and JCB International. Companies that are frequently subject to PCI DSS compliance include:
Many decision makers at tech companies we've spoken with wonder whether they really need to worry about maintaining PCI DSS compliance (and/or outsourcing these obligations to a partner).
The answer is a resounding "yes." Here's why:
The average cost of a data breach in the United States is $9.44M. In fact, perhaps as a result, the percentage of organizations maintaining full PCI DSS compliance grew from 27.9% in 2019 to 43.4% in 2020, per the Verizon 2022 Payment Security Report (PSR).
On the positive side, PCI compliance helps to provide peace of mind to customers who are concerned about the security of their personal information—especially their financial information. It helps to build your reputation as an organization that values security and takes all steps needed to protect customer data.
PCI can also enable new partnerships and business opportunities; that’s because large companies often require their partners to be PCI DSS compliant. Along with popular frameworks like SOC II and NIST, it helps businesses demonstrate a more comprehensive approach to security. (Meeting PCI requirements can also make it easier to achieve these other regulatory standards and frameworks.)
PCI DSS has 12 requirements that address areas ranging from network security and password management to data protection and access control.
Some requirements are more challenging than others. In fact, the Verizon 2022 Payment Security Report (PSR) shows higher compliance (90.8%) with requirements that address encryption and access control (numbers 4 and 7, respectively). On the other hand, the requirement to test security, which requires more specialized skills and expertise, has the lowest compliance (60%).
The complete list requires organizations to:
Many tech companies wonder whether they really need to worry about maintaining PCI DSS compliance. The answer is a resounding "yes."
There are four merchant levels based on the volume of transactions a business processes annually. Organizations with higher transactions are subject to stricter controls, which will require more resources to ensure compliance. But it is important for all businesses to be aware of and comply with the requirements of PCI DSS, regardless of their merchant level.
In general, there are three ways to achieve and maintain PCI DSS compliance. As you’ll see, they vary widely in terms of their time to market, required investment, and required staffing.
If you’ve decided to become PCI DSS compliant on your own, then we recommend the following checklist.
Bear in mind that, if you decide to become PCI DSS compliant on your own, your compliance must be validated and re-certified annually.
Interested in learning more about PCI DSS requirements? Ready to take the next step? We’ve got strong opinions, and we’d love to chat.
March 21, 2023
Frequently asked questions
Fintechs may face specific compliance requirements depending on their particular services and how they handle payment card information (PCI). Consult a PCI-certified Qualified Security Assessor (QSA) to understand the specific compliance requirements that apply to your situation.
PCI SSC stands for Payment Card Industry Security Standards Council. This is the independent body that manages PCI DSS. The standards, however, are enforced by the card brands themselves.
With the release of version 4.0 of the Payment Card Industry Data Security Standards (PCI DSS) in 2022, PCI DSS v3.2.1 will be retired on March 31, 2024.