PCI Compliance

The Importance of PCI Compliance

Credit card fraud and data breaches have been rampant for years and show no signs of subsiding, with new schemes surfacing daily. Losses from card fraud reached $33 billion in 2024, according to the latest Nilson Report, and will continue to balloon. These crimes cause businesses to lose not only money, but also their reputations and customers’ trust.

That’s why it’s critical for businesses who deal with card data and transactions to comply with the Payment Card Industry Data Security Standard (PCI DSS). Designed to protect cardholder data, the PCI DSS is a set of recommended practices created in 2004 by the Payment Card Industry Security Standards Council, which was founded by major credit card brands such as Visa, MasterCard, American Express, Discover and JCB. The standard applies to all companies that accept, process, store or transmit credit card information. It is not a law but rather a contractual agreement between merchants and payment card companies.

What is PCI compliance?

The PCI DSS encompasses 12 practices:

1. Install and manage firewall settings to protect credentials.
2. Do not use system passwords or other security measures not provided by the vendor.
3. Protect the information stored on the cardholder.
4. Do not use system passwords or other security measures not provided by the vendor.
5. Protect all systems from malware and regularly update antivirus software or programs.
6. Design and manage security and implementation.
7. Restrict access to cardholder data on a need-to-know basis.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Implement policies that address safety issues for all employees.

Compliance is assessed at four different levels, depending on how many transactions a business processes each year. The levels range from one to four, with Level 1 applying to merchants with the highest transaction volumes (over six million card transactions per year), and Level 4 to smaller merchants (with fewer than 20,000 card transactions per year). Each level has its own validation prerequisites.

Why is PCI compliance critical?

The PCI standards protect not only cardholders and their personal data but also card issuers, merchants, merchant processors, acquirers and service providers from data breaches and fraud losses. In a nutshell, PCI compliance:

• Protects cardholder data
• Reduces the impact of fraud and data breaches
• Prevents fines and legal exposure
• Preserves customers’ trust and a brand’s reputation
• Establishes a strong security baseline.

Obviously, fraud costs businesses money — data breaches incur an average of $4.4 million per breach, according to IBM and the Ponemon Institute — but it has other costs, too. Fraud and data breaches undermine customer loyalty, damage a merchant’s brand and often result in financial penalties and/or legal action. The fines levied by acquiring banks and payment processors can range from $5,000 to $100,000 per month, according to security software provider SecurityCompass. In addition to fines, merchants can lose their banking relationship or be forced to pay higher transaction costs if their systems are compromised.

How to comply

To assess and document their compliance, merchants complete a yearly self-assessment questionnaire (SAQ) and/or pass a quarterly PCI security scan. (Email reminders are sent to the merchant’s point of contact, so merchants should make sure that information is current.) The SAQ is divided into categories based on how the merchant processes credit cards. To assist in the process, the PCI also provides specification frameworks, tool kits, measurement guides and supporting materials.

But compliance goes beyond forms and scans. According to JPMorgan, the best approach to ongoing compliance is to:

1. Regularly locate cardholder data within all relevant systems and map out where IT assets and business processes interact with it.
2. Based on those findings, address vulnerabilities, optimize data storage and strengthen protective measures.
3. Document all compliance efforts and submit the required validation information to maintain PCI DSS certification.

George Uko, Senior Territory Credit Manager at Kubota Tractor Corporation, recommends an additional best practice: educating both employees and customers. “Education across the organization is a must,” he says. “Educate every department that deals with credit card information on what happens to the business [in case of fraud] and what you have in place to protect data. Share your experiences.” In his career, he has seen about $3 million in losses to fraud and data breaches.

To educate customers, Kubota informs them about “what we do to protect them and how they can protect themselves and their card information,” Uko reports. “We also let them know what’s going on in the industry, which helps them to be vigilant about protecting their data.”

More than a formality

Some businesses make the mistake of treating PCI DSS standards like a mere box to check off and do only the minimum needed to comply. But PCI compliance can make or break a business, and as AI technology advances, fraudsters will soon be able to do large-scale damage within mere milliseconds. “A lot of fraud losses come down to the amount of time it takes for something to hit [a target]. The more attempts made, the bigger the chance of fraud,” Uko observes. AI will — if it doesn’t already — enable millions of attempts simultaneously.

The first step toward thwarting these crimes is to maintain rigorous PCI compliance. Doing so is neither cheap nor easy, but the effort and investment are worth it. PCI compliance establishes a solid foundation for a robust security program that protects customers, the bottom line and, above all, a business’s good reputation. “If you can’t protect your brand, you won’t have customer trust, and you will lose business,” Uko concludes.