Global Payments PCI Compliance: A Guide to Achieving and Maintaining Compliance

Achieving and maintaining PCI compliance is a top priority for any business involved in global payments. This means adhering to the Payment Card Industry Data Security Standard (PCI DSS) requirements.

The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

The PCI DSS has 12 main requirements, each focusing on a different aspect of security. The requirements cover everything from network architecture to data encryption and access control.

To achieve PCI compliance, businesses must implement robust security measures to protect sensitive credit card data.

PCI compliance involves adhering to a specific set of requirements outlined in the PCI DSS, which are divided into six broad categories.

To become PCI compliant, you'll need to determine your PCI level based on the volume of credit card transactions you process annually. This will help you understand which specific requirements apply to your business.

You'll need to appoint a compliance officer to oversee and implement PCI compliance efforts. This person or team will be responsible for ensuring your business meets all the necessary requirements.

The PCI compliance requirements include installing and maintaining a firewall, changing vendor-supplied default passwords and security settings, and protecting stored cardholder data.

Here are the 12 PCI compliance requirements in detail:

1. Install and maintain a firewall.

2. Change vendor-supplied default passwords and security settings.

3. Protect stored cardholder data.

4. Encrypt cardholder data when transmitting it across open, public networks.

5. Use and regularly update antivirus software.

6. Develop security systems and processes.

7. Restrict access to cardholder data to a need-to-know basis.

8. Assign user IDs to everybody with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor who accesses networks and cardholder data.

11. Regularly test systems and processes.

12. Have a policy on information security.

There are four different PCI compliance levels, typically based on the volume of credit card transactions your business processes during a 12-month period:

Achieving and maintaining PCI compliance is an ongoing process that requires regular monitoring and maintenance. It's not a one-time event, as credit card brands may require quarterly or annual reports, or annual on-site assessments to validate ongoing compliance.

To ensure PCI compliance, it's essential to have a dedicated team in place, including representation from security, technology/payments, finance, and legal departments. This team can help navigate the complex world of PCI DSS compliance and ensure that all aspects of the business are compliant.

The type of annual assessment required depends on the card network and the volume of card transactions. For example, Level 1 merchants, which process more than 6 million Visa transactions per year, may need to hire third-party auditors to assess them.

To reduce the compliance burden, companies can use services like Stripe or PayU, which offer hosted payment fields and tokenization to minimize the handling of sensitive payment information. This can save on compliance costs and provide a more secure payments experience for customers.

Here are the four category levels for Visa merchants:

Regularly updating software and systems is also crucial to maintain PCI compliance, as it ensures that all security patches are up-to-date and vulnerabilities are addressed.

PCI compliance isn't a one-time exercise; it's a task that must be completed each year.

Compliance requirements vary by business size and by the number of card transactions each year.

There are four groups of businesses that vary slightly by card network, and the requirements differ for each group. For example, Visa classifies Level 4 merchants as those that process fewer than 20,000 online card transactions or up to 1 million total transactions per year.

Larger businesses generally have more burdensome requirements.

The type of payment service a business uses can also affect the amount of work required to be compliant each year.

Here's a quick breakdown of the different types of payment services:

Businesses that accept payments with a PSP must still be PCI compliant, but it's generally easier compared to businesses with merchant accounts.

To become PCI compliant, you need to determine your PCI level based on the volume of credit card transactions you process annually, which can be one of four levels: Level 1, Level 2, Level 3, or Level 4.

You'll need to understand the specific PCI DSS requirements applicable to your level, which can be found in the PCI DSS documentation. It's also essential to appoint a compliance officer to oversee and implement PCI compliance efforts.

A thorough security assessment is necessary to identify gaps and vulnerabilities in your current security measures. You'll then need to segment your network to isolate cardholder data from other parts of your network.

To address any deficiencies found during your security assessment, create a remediation plan. Implement security controls, such as firewalls, encryption, and access controls, to put in place the necessary security measures.

Regularly updating software and systems with security patches is also crucial to maintain PCI compliance. Training your staff on PCI compliance is essential to ensure they understand their roles in maintaining security.

Here's a summary of the steps to become PCI compliant:

Some payment processors, like National Processing, charge PCI compliance fees, which can range from $79.95 to $39.95 monthly, depending on the processor.