In the biggest Fintech markets like India, China, and the USA, the adoption rate of online payment rose from 16% in 2015 to 60% in 2019. With an increment of almost 100% every two years, it is evident that online transaction is now the preferred mode of payment. On the other hand, the global e-commerce industry continues to grow at 23% annually.
The combination of online shopping and online payment has simplified lives but it has also led to an incredible surge in data breaches, phishing attacks, and credit card frauds. The increased cases of credit card fraud and chargebacks have impacted both customers as well as online stores.
PCI DSS Council has established some regulations, which need to be followed religiously by organizations that store, transfers or process data. Here we try to answer the most popular questions related to PCI DSS compliance, requirements, implementation, fines and audit.
When PCI DSS came into existence?
Payment Card Industry Data Security Standard aka PCI DSS Compliance safeguards cardholders’ data from external attacks and internal sabotages. The compliance came into existence in 2004 and became fully functional in September 2006. Ever since 2006, the PCI council, which includes VISA, MasterCard, American Express and JCB International has laid out norms and security standards that need to be adhered to by all companies that stores, transfers or processes cardholders’ data.
Who all needs PCI DSS Certification?
Well, a general misconception regarding PCI DSS Certification is that “only organizations that store or process credit card details need to be compliant”. In reality, businesses that store, processes or transfer any kind of cardholders’ data need to be compliant. PCI DSS compliance is applicable to online entities that store or transfers credit, debit or prepaid card data.
Is PCI DSS a Law?
PCI DSS is not a law, no government has either tabled it or passed it from any legislative assembly. While PCI DSS is not yet law but the government of a few states in the US have incorporated in plastic card protection law.
Unlike GDPR and CCPA, which were officially tabled in constitutional houses of countries and passed by majority votes, PCI DSS is not a law and is governed by a council that includes VISA, MasterCard, American Express and JCB.
What is a PCI QSA?
QSA stands for Qualified Security Assessor, it is an individual or an organization that has completed the requisite training and courses. Once done with all training and certification, a QSA becomes eligible to assess organizations and offer them PCI DSS Certification. CISSP, CISA and CISM Certificate along with 5 years of experience as an IT Professional are the pre-requisites of being a PCI QSA.
Here are some of the roles a Qualified Security Assessor performs:
- Analyze the existing system for vulnerabilities and loopholes
- Conduct gap assessment
- Redesign the entire process as per the PCI DSS guidelines
- Run vulnerability scans to expose shortcomings
- Improvise as per the need of the situation
Who enforces PCI DSS requirements?
PCI DSS Council that came into existence in 2004, the council looks over the regulations and enforces them. They remotely conduct audits and also act on complaints received anonymously. The five members of PCI DSS namely includes:
- American Express
Apart from looking into complaints, other tasks undertaken by the council include:
- Keeping up with the technology: The council actively looks into the technological breakthroughs and revises the PCI DSS paradigms to suit the needs of businesses and organizations.
- Optimizing the PCI requirements: They play an instrumental role in making the certification an effective way of safeguarding cardholders’ data by putting businesses through a thick forest.
- Publish Updates and Concerns: The council works with a motif making the world a better place. They often publish concerns related to new technologies and advises businesses to wait until they release guidelines related to the latest technologies.
What is the cost of PCI DSS Certification?
The average cost of getting PCI DSS certified is somewhere $4000-$15000. The cost of PCI DSS is based on a list of factors, which includes:
- The cost of infrastructure development
- The cost of necessary software packages to restrict unauthorized access
- The fees of Qualified Security Assessor
- The price of process redesign and implementation
- The cost of running vulnerability scans and conducting penetration testing
What are the types of PCI DSS Certification?
There are three levels of PCI DSS namely Level 1, 2 and 3. All 3 levels are meant for organizations of different capacities. The level of PCI DSS Compliance/Certification you need depends upon the kind of transactions your online store processes.
Here’s more about the three levels of PCI DSS Certification:
- Meant for merchants/online stores that process transactions over 6 million in a year. We are talking about 6 million transactions and not transactions worth $6 million.
- Level 1 certified merchants need to conduct and document network scans on a quarterly basis.
- These entities must get their annual compliance audit done by a Qualified Security Assessor.
- Any merchant or online store that processes transactions between 1-6 million annually needs to get Level 2 compliance.
- The merchant must conduct and furnish a self-assessment questionnaire on a yearly basis.
- Alike Level 1 merchants, Level 2 merchants are also required to conduct and document network scans on a quarterly basis.
- Applies on the merchant who processes transactions between 20,000 to 1 million in a calendar year.
- The merchants are required to conduct and furnish a self-assessment questionnaire.
- Similar to Level 1 and 2 merchants, Level 3 merchants are also bound to conduct and document network scans on a quarterly basis.
What is the fine for PCI DSS Compliance Failure?
Failing PCI DSS Compliance can cost enterprises a hefty fine of $5000 to $100,000. The fine is not levied only once but it is a recurring fine that occurs until and unless the organization gets compliant with the 12 requirements of PCI DSS Compliance.
Is PCI DSS a one time or a recurring event?
Organizations need to conduct audits annually irrespective of the level of compliance. Conducting compliance audits regularly ensures that businesses are protecting cardholders’ data against the latest cyber threats.
Conducting PCI DSS audits regularly has its own set of benefits including:
- Ensures protection against the latest threats
- Helps businesses prepare for the impending threats
- Boosts the customer’s confidence
What are some shocking PCI DSS Statistics?
- Since 2012, PCI DSS Compliance has increased by almost 162%.
- While the percentage of businesses getting compliant has increased, almost 80% of businesses are yet to be compliant.
- Only 29% of enterprises continue to compliant after the first year.
- The fine for failing PCI DSS Compliance can cost up to $100,000
- Insecure remote access is the reason 39% of breaches occur
- The average cost of a data breach has risen to $4 million
- 69% of consumers are not willing to do business with organizations that are not compliant
Big players like Facebook, Quora, Uber, and Sony have succumbed to the attempts of cybercriminals. With the average cost of data breach touching $4 million, it gets indispensable for enterprises to invest in compliance and breach-prevention.
Start with PCI DSS and gain the confidence of your customer while you continue building a robust cybersecurity paradigm at the back end.