For many businesses considering the cloud, the question of PCI compliance comes up. The specific question some will ask is, “How will cloud adoption affect PCI compliance?” But others might still be asking, “What is PCI compliance?” or “Do I have to be PCI compliant?” Let’s answer the basic PCI compliance questions.
PCI Compliance, Defined
Developed by the Payment Card Industry Security Standards Council (PCI SSC), an independent standards body formed by the major payment card brands Visa, MasterCard, American Express, Discover, and JCB, the Payment Card Industry Data Security Standard (PCI DSS) is a set of data privacy and data security standards aimed at protecting consumers from identity theft and payment card fraud. PCI DSS does this by requiring all businesses who handle consumer payment card information to implement security measures around that data.
Simply put, PCI compliance is the state of being validated as compliant with PCI DSS requirements applicable to the business. Businesses’ PCI compliance is validated either through independent audits or via self-assessment, depending on the business’s PCI merchant level. Merchant levels are designated based on the number of Visa card transactions the business processes in a year and range from Level 1, for businesses that process over 6 million Visa transactions a year, to Level 4, for businesses that process fewer than 20,000 Visa transactions per year.
Do I have to be PCI compliant?
While PCI DSS is an industry standard rather than a law, it is upheld and enforced by the major payment card issuers. Choosing not to comply with PCI DSS requirements is not advisable. PCI DSS requirements serve as a useful tool for planning payment card data security strategies to prevent data breaches, and if your customers’ payment card data is breached while you are noncompliant, your business may be subject to heavy fines and card replacement costs.
PCI DSS applies to all businesses that accept, store, process, or transmit customer payment card information from any of the five PCI SSC card brands. The size of the business does not matter; nor does the number of transactions the business does. Using a third party payment processor or other service does not exempt businesses from PCI DSS, either.
What are the penalties if my business is found noncompliant?
In addition to penalties levied on the noncompliant business itself, its bank(s) may be fined anywhere from $5000 to $100,000 for compliance violations. These fines will most likely make their way downstream to the business. Additionally, banks will not want to work with a business whose noncompliance costs the banks money, so noncompliant businesses may lose their relationships with their banks, leading to a time-consuming and costly search for a replacement.
If your business handles consumer payment card data at all, PCI compliance is likely to be a critical consideration when it comes to data security. Businesses that leverage cloud computing in their customer interactions, for example through a cloud-based CRM or payment processing service, may find their PCI compliance plans further complicated by the transmission and storage of their customers’ payment card information to third parties. If this applies to your organization, look to solutions such as PCI-certified cloud encryption and tokenization gateways to simplify PCI compliance in the cloud. Your bottom line will thank you.
Want to learn more about how CipherCloud can help businesses achieve PCI compliance? Download our customer case study on how a leading payment systems provider achieved PCI compliance across multiple cloud apps or contact us today.