In the biggest Fintech markets like India, China, and the USA, the adoption rate of online payment rose from 16% in 2015 to 60% in 2019. With an increment of almost 100% every two years, it is evident that online transaction is now the preferred mode of payment. On the other hand, the global e-commerce industry continues to grow at 23% annually.
The combination of online shopping and online payment has simplified lives but it has also led to an incredible surge in data breaches, phishing attacks, and credit card frauds. The increased cases of credit card fraud and chargebacks have impacted both customers as well as online stores.
PCI DSS Council has established some regulations, which need to be followed religiously by organizations that store, transfers or process data. Here we try to answer the most popular questions related to PCI DSS compliance, requirements, implementation, fines and audit.
Payment Card Industry Data Security Standard aka PCI DSS Compliance safeguards cardholders’ data from external attacks and internal sabotages. The compliance came into existence in 2004 and became fully functional in September 2006. Ever since 2006, the PCI council, which includes VISA, MasterCard, American Express and JCB International has laid out norms and security standards that need to be adhered to by all companies that stores, transfers or processes cardholders’ data.
Well, a general misconception regarding PCI DSS Certification is that “only organizations that store or process credit card details need to be compliant”. In reality, businesses that store, processes or transfer any kind of cardholders’ data need to be compliant. PCI DSS compliance is applicable to online entities that store or transfers credit, debit or prepaid card data.
PCI DSS is not a law, no government has either tabled it or passed it from any legislative assembly. While PCI DSS is not yet law but the government of a few states in the US have incorporated in plastic card protection law.
Unlike GDPR and CCPA, which were officially tabled in constitutional houses of countries and passed by majority votes, PCI DSS is not a law and is governed by a council that includes VISA, MasterCard, American Express and JCB.
QSA stands for Qualified Security Assessor, it is an individual or an organization that has completed the requisite training and courses. Once done with all training and certification, a QSA becomes eligible to assess organizations and offer them PCI DSS Certification. CISSP, CISA and CISM Certificate along with 5 years of experience as an IT Professional are the pre-requisites of being a PCI QSA.
PCI DSS Council that came into existence in 2004, the council looks over the regulations and enforces them. They remotely conduct audits and also act on complaints received anonymously. The five members of PCI DSS namely includes:
The average cost of getting PCI DSS certified is somewhere $4000-$15000. The cost of PCI DSS is based on a list of factors, which includes:
There are three levels of PCI DSS namely Level 1, 2 and 3. All 3 levels are meant for organizations of different capacities. The level of PCI DSS Compliance/Certification you need depends upon the kind of transactions your online store processes.
Failing PCI DSS Compliance can cost enterprises a hefty fine of $5000 to $100,000. The fine is not levied only once but it is a recurring fine that occurs until and unless the organization gets compliant with the 12 requirements of PCI DSS Compliance.
Organizations need to conduct audits annually irrespective of the level of compliance. Conducting compliance audits regularly ensures that businesses are protecting cardholders’ data against the latest cyber threats.
Big players like Facebook, Quora, Uber, and Sony have succumbed to the attempts of cybercriminals. With the average cost of data breach touching $4 million, it gets indispensable for enterprises to invest in compliance and breach-prevention.
Start with PCI DSS and gain the confidence of your customer while you continue building a robust cybersecurity paradigm at the back end.