Let’s start from the very beginning. If you want to indulge in any action regarding credit cards, what per se imperatively entails the need to deal with cardholder’s data, you’ll definitely need specific certification to such action. To be more precise, PCI DSS is an international security standard designed specifically to protect payment card data. It allows you to secure the organization from such incidents as information leakage and provide the necessary level of data safety throughout the payment system. The standard applies to merchants, processors, acquirers, card issuers, and service providers.
Why would you need this certification, actually? First of all, without it, you simply could not indulge in activities regarding credit cards. For non-compliance, you may even receive a fine. But we will speak later on the reasons of importance, as well as on the anchors which make you obey the regulations. What you have to understand now – is that if any organization wants to be able to accept card payments, such certification is a necessity.
It was compiled sixteen years ago by the PCI Security Standard Council to provide users with a certain guarantee of data protection when carrying out such transactions using credit cards. The board that drafted this standard was made up of the largest and most well-known credit card companies that we deal with almost every day. Over the years, they have tried to improve it in order to avoid data leakage or other incidents of that kind. The latest version was presented only four years ago.
Overall, the knowledge of these rules provides you with the most valuable and allows you to stay competitive in today’s world. This very standard keep our transactions safe, making this way of payment much more reliable and trustworthy. But there is a tricky moment in the process of certification. Or, so to say, an important aspect: amounts of transactions divide all the businesses into different categories and define four fixed levels.
In general, they were determined in descending order. The first level defines large businesses (6 million or even more for a period of one year). Then comes the second level – it lies between one million and six million operations annually. Level three stands for those businesses ranging from twenty thousand to one million, while the last category, which represents small businesses, the fourth, defines those with twenty thousand or fewer transactions per year.
These levels we have just described are that one main categorization created by the same council which developed the security standard itself. However, it is not the only one. In a similar vein, some of the major credit card companies create their own distinctive rating scales. For example, some of them lower the threshold for determining the first level from six million to two and a half million or more. In this way, all subsequent levels are also lowered. In addition, some may even have special additional requirements and characteristics to determine the business level.
We hope we’ve made it clear about the importance and meaning of certification and the standard itself. But still, two massive questions arise: for what precisely are those described levels needed, and how often must the audits be carried out?
To cut the story short, the level defined for your business determines the requirements of the certification. Either way, you will have to fill out the SAQ. But, for example, if you are a large merchant, ROC may also be needed. Regarding the terms, usually, organizations have to pass their assessment each year. By the way, there is an alternative to the SAQ – you may also get yourself a professional (QSA) to help you out with the PCI compliance process. This way is becoming increasingly popular.
But this annual audition is not an imperative rule – It’s just a common norm. But still, payment card companies are those who carry out decisions on how often you should carry out the audits. So, the requirements may and probably will differ depending on which company you have to deal with. It means that the rules are not the same for all in this aspect as well.
Sometimes you may be required to regularly assess all the risks to the security of cardholders’ data in order to minimize them. It’s like an X-Ray for all the weak places in your system performed to identify the significant dangers to the security and eliminate them as soon as practicable. It is so important that usually this can should be performed even four times per year.
But still, there is no law or powerful external entity to make you follow all the recommendations put forth in the PCI DSS. So why can’t the business just disobey them? Well, we have already said about the possible fines, but the problem lies much deeper. The point is that the companies will just refuse to cooperate with you. Therefore, this standard can be considered not just a pack of recommendations but a real effective regulator. After all, the corresponding contracts are made with credit card companies, so the means of regulations are completely justified.
But businesses are interested in guaranteeing some security to the people. After all, in this case, trust means everything. Leakage of private customers’ data means at least a destroyed reputation. Why would you need to get a so-called “shadow ban” from credit card companies just because you failed to comply with several simple rules? That is why businesses choose to obey because the ability to process credit card payments today is indeed a real necessity.