What is PCI DSS and why does it matter? Created specifically to reinforce credit, debit and cash card security in order to thwart card fraud and identity theft, the Payment Card Industry Data Security Standards were devised by American Express, Discover, JCB (Japan Credit Bureau), MasterCard and Visa. In a nutshell, PCI DSS is the security protocol of the credit card industry. Compliance is mandatory—if you want your ecommerce site to accept plastic.
Originally, each of the aforementioned companies had their own set of standards in place as an effort to provide their cardholders with security. The goal was to ensure that the storage, processing and transmission of their cardholder’s data was handled in a manner capable of keeping it safe from interlopers. Eventually, the companies joined forces in this endeavor and formed the Payment Card Industry Security Standards Council (PCI SSC). This group developed the PCI DSS.
Originally released in 2004, the PCI DSS has undergone a number of revisions over the years in response to emerging technologies and the new threats accompanying them. The industry is currently operating Version 3.2 of the standards, which was released in April of 2016.
To qualify as PCI DSS compliant, any organization engaged in the acceptance, transmission, or storage of cardholder data must agree to meet the following objectives:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
To meet these objectives, the PCI SSC outlines the following initiatives:
- Purchase and utilize only approved PIN entry devices at points of sale (POS)
- Purchase and utilize only validated payment software at POS and/or e-commerce shopping carts
- Avoid storing sensitive cardholder data and/or personally identifiable information in computers or on paper
- Install firewalls on networks, personal computers and related devices
- Password-protect and encrypt wireless routers and LAN
- Regularly change and use strong passwords on hardware and software
- Frequently check PIN entry devices to ensure protection from skimming devices and malicious software
- Create formal policies and procedures and train employees on information security and cardholder data protection measures
For ecommerce, this means Transport Layer Security or Secure Sockets Layer protocols must be employed to encrypt all checkout pages upon which personally identifiable information or credit card information is entered. Most enterprise software comes configured this way, however a quick comparison between Magento Enterprise and Shopify Plus, two of the leading ecommerce software solutions, shows Shopify encrypts all of its site’s pages by default, while Magento leaves it up to the individual site builder to decide to do so.
Federal law in the US does not mandate PCI DSS compliance, but a number of individual states have incorporated elements of the standards into their regulations. These include Washington, Nevada and Minnesota. However, the PCI SSC does have the power to levy fines for compliance failures. As of 2017, these ranged from $5,000 to $100,000—per month—per violation.
In most cases however, merchants found in violation of the standards are given a warning when their first case of noncompliance is discovered. Repeat offenders are simply cut off. With nearly every consumer completing retail transactions with a piece of plastic these days, finding yourself on the wrong side of this action can be particularly debilitating. If your site is ever prohibited from accepting cards, your revenue stream will experience a pretty sizable hit.