PCI Compliance: What Does It Mean?

What does being PCI compliant mean? It’s a question we get all the time from customers who want to know what’s required and what they should expect from us. The answer is simple, but it can be difficult to explain.

Table of Contents

• Payment Card Industry Data Security Standard
• PCI Compliant
• PCI Compliance in High-Risk Industries
• How Long Does it Take to Become PCI Compliant?
• Regular PCI Audits
• Different Ways To Become PCI Compliant
• Levels of PCI Compliance
• PCI/Non-PCI Compliant Companies
• What happens if you don’t meet the standards?
• Choose Zenti

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules and regulations that govern how companies store, transmit and [process credit card data. The goal of PCI DSS is to protect customers by encouraging companies to implement more effective data security practices. If you’re still confused about what this all means, don’t worry! The next section will explain exactly what it means for your company to be compliant with all things PCI.

PCI Compliant

Merchants can’t be PCI compliant unless they comply with all categories of the PCI DSS standard. These include:

• Security policy

• Protecting stored cardholder data

• Maintaining a vulnerability management program

• Implementing strong access control measures

• Regularly testing security systems and processes

PCI compliance is a must for any business processing card payments. The benefits listed above are just a few of the many reasons why PCI compliance is important. By becoming PCI compliant, businesses can improve their security posture, reduce the likelihood of a data breach and maintain or improve customer trust. Additionally, PCI compliance is essential for businesses that want to comply with regulations.

PCI compliance can improve customer happiness. When customers feel confident that their data is safe and secure, they are more likely to be happy with your company. In addition, PCI compliance can help to reassure customers that you’re taking the necessary precautions to protect their information.

PCI Compliance in High-Risk Industries

PCI compliance is especially important for businesses in high-risk industries. These businesses are more likely to be targeted by hackers, and it is essential that they take the necessary precautions to protect their data. The PCI Security Standards Council has created a number of PCI compliance standards specifically for high-risk businesses. These standards include:

• PCI DSS for Service Providers

• PCI DSS for Software Developers

• PCI DSS for Retailers

• PCI DSS for Processors

How Long Does it Take to Become PCI Compliant?

PCI compliance can be a time-consuming process, but there are many resources available to help businesses become compliant. The PCI Security Standards Council offers a self-assessment quiz to help businesses determine their level of compliance, and there are many third-party providers that offer PCI compliance services. Becoming PCI compliant can take anywhere from a few weeks to a few months, depending on the size and complexity of your business.

Regular PCI Audits

PCI compliance must be maintained on an ongoing basis. Businesses must undergo regular PCI audits to ensure that they are still in compliance with the PCI DSS requirements. The PCI Security Standards Council recommends that businesses conduct an annual PCI audit. However, depending on your business’s risk level, you may need to conduct more or fewer PCI audits.

Different Ways To Become PCI Compliant

There are different options when looking to become PCI compliant. Businesses can either self-certify or use a PCI-validated service provider. Self-certification is the process of verifying that your business meets the PCI DSS requirements on your own. This option can be tricky, as businesses are responsible for their own compliance. Using a PCI-validated service provider is the other option. PCI-validated service providers have been certified by the PCI Security Standards Council and are responsible for ensuring that their clients meet the PCI DSS requirements. This option can be helpful as businesses can rely on the service provider to help achieve and maintain compliance.

Levels of PCI Compliance

There are three different levels of PCI compliance: basic, comprehensive, and enhanced. Basic PCI compliance is the minimum requirement for businesses. This level includes implementing the PCI DSS requirements and undergoing a self-assessment. Comprehensive PCI compliance goes beyond the basics and includes additional measures such as vulnerability scanning and penetration testing. Enhanced PCI compliance is the most rigorous level and includes measures such as daily vulnerability scanning and quarterly penetration testing.

PCI/Non-PCI Compliant Companies

There are dozens of examples of businesses that have been found non-compliant with PCI standards over the past few years; below we’ve listed some examples of these complaints:

Home Depot

Home Depot was not compliant with PCI standards. They suffered a breach in September 2014, which led to an $18.5 million payment for credit monitoring, as well as $19.5 million in fines from the card brands.

Neiman Marcus

Neiman Marcus is another example of a company that was not in compliance with PCI standards. In 2013, the luxury retailer was breached by hackers and several million credit card numbers were stolen. Neiman Marcus had to pay $1.5 million in fines for their lack of compliance with PCI standards and now they are currently compliant with all PCI standards

Target

In 2013, Target was hacked by Russian hackers and the information of 70 million customers was stolen. In 2015, a malware breach at Target led to the theft of 40 million credit card numbers. In 2016, another malware attack at Target compromised an additional 70 million payment cards and personal data for as many as 110 million people.

The results were devastating; since these breaches happened, banks have seen a 50% rise in fraud rates due to fraudulent purchases coming from overseas countries such as Russia and India where they could be used before they even expire.

Bebe Stores

Bebe Stores is a chain of clothing stores in the United States and Puerto Rico. It was founded in 1983 by Isidore and Doris Zabar, who named it after their grandson, Solomon “Bebe” Zabar. It is currently owned by Vestis Retail Group, Inc., which also owns regional chains such as White House Black Market and Maurices.

In 1984, Bebe became known as a hip boutique that sold trendy clothes to young women at affordable prices; its advertisements often featured models in their twenties or younger.[1] In 1985 The New York Times described Bebe as having “good taste” that appealed to teenagers but not being “too high-priced”.[2].

Michaels Stores

Michaels Stores, Inc. is the largest specialty retailer of arts, crafts, framing and a full line of beads, crafts and jewelry-making supplies in the United States. In 2014 Michaels Stores was the victim of a data breach that affected an estimated 3 million credit cards. The company has not completed its PCI compliance process, which means it wasn’t using current industry standards to protect customer data as well as it should have been.

Staples

Staples was fined $400,000 in 2014 for a data breach that affected 1.16 million payment cards. The retailer also received two fines of $250,000 in 2013 and $25,000 in 2009 for other breaches involving Staples employees accessing customer data without authorization.

P.F. Chang’s China Bistro

P.F. Chang’s China Bistro is a chain of Chinese restaurants based in Scottsdale, Arizona. It was the target of a data breach that affected customers who used their credit or debit cards at P.F. Chang’s from March to July 2016. The breach was discovered by the company’s security team, after which it began investigating what had happened and notified law enforcement authorities about its findings.

• In May 2018, P.F.’s parent restaurant group announced that it had not only been affected by malware on point-of-sale (POS) systems but also potentially compromised by an advanced persistent threat (APT) attack that involved malware introduced into POS systems via remote access methods such as remote desktop services (RDS).

Goodwill Industries International Inc.

Goodwill Industries International Inc. is a nonprofit organization that provides job training, employment placement and other community-based services to people with disabilities and disadvantages. In December 2013, Goodwill Industries of Southern California was the victim of a data breach that compromised the personal information of more than 5 million customers and donors. In total, this encompassed more than 9 million records containing sensitive information such as names, addresses and Social Security numbers stored on internal databases.

A data breach like this can have serious consequences for the victims involved: fraudulent account activity; identity theft; legal action against the company responsible for protecting your data; damage to brand reputation and loss in customer loyalty resulting from poor communication during the aftermath of an incident.

Dairy Queen

Dairy Queen has had some pretty bad luck with security. In 2016, it became the victim of a breach that exposed up to 500 million customers’ personal information and credit card numbers. Dairy Queen was forced to pay out $10 million in a class action lawsuit and $50 million to Visa and MasterCard as part of a settlement agreement.

Wyndham Worldwide Corporation and its affiliates (Ramada, Days Inn, Super 8, Howard Johnson hotels)

Wyndham Worldwide Corporation is a leading owner, operator and franchisor of hotels. The company has over 7,000 hotels worldwide. In the United States alone, Wyndham Worldwide Corporation has over 1,300 hotel properties in its portfolio.

The company offers guests all kinds of amenities including swimming pools and fitness rooms as well as meeting spaces where they can host events or conferences with friends or family members.

What happens if you don’t meet the standards?

If a business does not meet the PCI DSS requirements, it can face penalties such as fines and suspension of PCI privileges. In the worst-case scenario, a business could be shut down if they are found to be in non-compliance. PCI compliance can be a time-consuming process, but there are many resources available to help businesses become compliant. The PCI Security Standards Council offers a self-assessment quiz to help businesses determine their level of compliance, and there are also many third-party providers that offer PCI compliance services.

Choose Zenti

It’s important to remember that when all is said and done, PCI compliance is just another part of doing business. Ensuring you know the ins and outs, or hiring someone like Zenti who does, will keep your business secure and trustworthy. Contact us today to learn how we protect customer information and how your business can process PCI-compliant payments.