PCI DSS Compliance for Payment Processors

Published October 10, 2023
by Dave Stenger

In an increasingly cashless consumer economy, small and medium-sized businesses (SMEs) rely on the convenience of customers’ credit and debit cards for fast and easy payments. Unfortunately, the rise in electronic payment systems over recent decades has also seen an exponential increase in related cybercrime—Verizon’s 2022 Data Breach Investigations Report states 93 percent of data breaches had financial motivations, and 84 percent of breach cases entailed payment account data. The Payment Card Industry (PCI) Data Security Standards (DSS) are designed to protect cardholders’ information across all transactions, and PCI DSS compliance is mandatory for SMEs and organizations of all sizes that process, transmit, or store cardholder data.

SMEs are on the daily front lines of the ongoing, high-stakes battle to keep critical payment data safe from theft and exploitation. Insufficient cybersecurity measures throughout the card-processing ecosystem can allow savvy cybercriminals access to personal consumer financial information, exploiting vulnerabilities across point-of-sale devices, cloud-based systems, wireless hotspots, e-commerce applications, company computers, servers, and more. 

What is PCI DSS?

While not a law, PCI DSS is a widely accepted set of security standards and guidelines designed to protect credit cardholder data and enhance the security of payment card transactions. A coalition of major credit card companies—Visa, Mastercard, Discover, American Express, and JCB—released version 1.0 of the PCI DSS in 2004. Before PCI DSS, each of the companies created and maintained their own security programs. 

In 2006, the Payment Card Industry Security Standards Council (PCI SSC) was formed to administer and govern the framework. However, compliance enforcement remains the responsibility of individual credit card companies.

The most current version of the standards, PCI DSS v4.0, was released in March 2022. The standards apply to all organizations that store, process, or transmit card payment information and cover technical and operational practices for system components and security measures included within or connected to environments hosting cardholder data.

PCI DSS compliance helps ensure customer payment card data is safe and secure, protecting SMEs against debilitating breaches and related fallout. Non-compliance can carry hefty fines or result in banks and payment processors revoking a business’s ability to process card transactions—and that’s before any potential breaches would cause further financial heartbreak and erode public trust.

Compliance for SMEs Using Credit Card Processing Services 

While using a major credit card processing service can be advantageous in terms of leveraging their secure infrastructure, SMEs are not automatically PCI DSS compliant. It is the responsibility of the SME to ensure their own systems and processes meet the requirements of PCI DSS and maintain a secure environment for handling credit card data. Compliance with the standard helps protect both the SME and its customers from potential data breaches and financial losses. While major credit card processors typically have robust security measures in place, PCI DSS compliance is a shared responsibility between the payment processors and the merchants (including SMEs) who accept credit card payments.

Credit card processors are known as payment card industry (PCI) service providers, and they must comply with their own set of PCI standards (often referred to as PCI DSS for service providers). These standards ensure that the processors maintain secure environments for processing, storing, and transmitting cardholder data.

On the other hand, merchants are required to comply with the main PCI DSS standard, which applies to all entities that handle cardholder data directly. This includes any business that accepts credit card payments, regardless of whether they use a third-party payment processor or not.

What Are the PCI DSS Compliance Requirements?

How exactly an SME demonstrates and validates its PCI DSS compliance will depend on three varying factors:

  • Which payment cards the SME accept
  • How many payment card transactions are processed per year
  • Whether the SME has experienced a relevant breach or cyberattack resulting in compromised payment or cardholder data

While these factors influence an SME’s level of risk faced and how they achieve or maintain PCI DSS compliance, they don’t affect the requirements organizations must meet. There are 12 requirements for compliance—containing more than 280 sub-requirements and directives—across six overall goals:

  • Goal 1: Build and Maintain a Secure Network and Systems
    • Requirement 1: Install and maintain network security controls
    • Requirement 2: Apply secure configurations to all system components 
  • Goal 2: Protect Account Data
    • Requirement 3: Protect stored account data
    • Requirement 4: Protect cardholder data with strong cryptography during transmission over open and public networks
  • Goal 3: Maintain a Vulnerability Management Program
    • Requirement 5: Protect all systems and networks from malicious software
    • Requirement 6: Develop and maintain secure systems and software
  • Goal 4: Implement Strong Access Control Measures
    • Requirement 7: Restrict access to system components and cardholder data by business need to know
    • Requirement 8: Identify users and authenticate access to system components
    • Requirement 9: Restrict physical access to cardholder data
  • Goal 5: Regularly Monitor and Test Networks
    • Requirement 10: Log and monitor all access to system components and cardholder data
    • Requirement 11: Test the security of systems and networks regularly
  • Goal 6: Maintain an Information Security Policy
    • Requirement 12: Support information security with organizational policies and programs

Find a Trusted Guide for Your PCI DSS Compliance Journey

Achieving PCI DSS compliance can be an expensive, time-consuming process—and maintaining it is a never-ending one requiring constant vigilance and annual audits or self-assessments. 

A quicker and more convenient alternative for many SMEs includes sourcing a PCI compliance “as a service” third-party provider. Qualified security assessors (QSAs) and approved scanning vendors (ASVs) can simplify cybersecurity and compliance efforts through essential services, including gap assessment, vulnerability scanning, scope reduction, penetration testing, employee training, and all required reports. 

Find the partners your SME needs for comprehensive cybersecurity and payment data protection through the RAMPxchange marketplace. Contact us to learn more and to join our coalition of strong-cybersecurity-minded businesses and organizations today.