Online shopping is now second nature for most people. We click, we buy, and our information is seamlessly processed—all with a sense of trust that our financial data is secure. But have you ever stopped to wonder what goes on behind the scenes to ensure this trust?
The answer lies in a set of security standards called PCI DSS. Below, you’ll learn the requirements behind this abbreviation, and what it means for both online sellers and customers.
What is PCI DSS (Payment Card Industry Data Security Standard)?
PCI DSS stands for Payment Card Industry Data Security Standard. It’s a set of security requirements mandated by major credit card brands (Visa, Mastercard, American Express, Discover, and JCB) to make sure businesses that handle cardholder data do so securely. Think of it as a rulebook for protecting sensitive customer payment information.
PCI DSS is overseen by an independent group of experts, the PCI Security Standards Council (PCI SSC), founded in 2006. These standards apply to any organization that accepts, transmits, or stores credit card information, regardless of size or transaction volume.
This includes businesses like stores and service providers, but also extends to non-profits and others that might handle card payments. It’s important to note that even if you outsource your payment processing, you’re still responsible for complying with PCI DSS to ensure customer credit card data is protected.
What’s the purpose of PCI DSS?
The main goal of PCI DSS is to keep sensitive cardholder info safe, including debit and credit card numbers, expiration dates, and security codes. By requiring strong payment security measures, PCI DSS helps businesses reduce data breaches, and identify theft and credit card fraud. It also sets clear expectations for how organizations should handle sensitive information, creating a more secure environment for everyone involved.
6 principles of PCI DSS
PCI DSS covers 12 key requirements, which are organized into six groups, known as control objectives. The control objectives are:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access-control measures
- Regularly monitor and test networks
- Maintain an information security policy
12 PCI DSS requirements
The latest version of the standard is PCI DSS 4.0 (released in March 2022), which includes the following 12 key compliance requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
PCI DSS compliance levels
As a merchant, you need PCI DSS compliance—how you prove you have it depends on your transaction volume and processing methods. There are four main levels of PCI DSS compliance for businesses or organizations.
Level 1
Level 1 businesses process more than six million card transactions per year and face the strictest requirements. Mega-merchants at this level must:
- Complete an annual report on compliance (ROC) by working with a third-party qualified security assessor (QSA)
- Undergo quarterly network vulnerability scans and annual penetration testing
- Complete an attestation of compliance (AOC), which is also signed off on by the QSA
Level 2
Merchants processing between one million and six million card transactions per year fall under Level 2. At this level, you need to:
- Complete an annual self-assessment questionnaire (SAQ)
- Conduct quarterly network vulnerability scans
- Complete an AOC
You may be required to have a third-party QSA firm attest to your SAQ at PCI Level 2. And you might also have to submit a quarterly network vulnerability scan.
Level 3
This level applies to all businesses and organizations processing 20,000 to one million card transactions per year, and all ecommerce merchants. Level 3 requires you to:
- Complete an annual SAQ
- Conduct quarterly network scans
- Complete an AOC
You might also have to submit a quarterly network vulnerability scan.
Level 4
Level 4 applies to smaller businesses with fewer than 20,000 transactions per year. At level 4 you need to:
- Complete an annual SAQ
- Conduct quarterly network scans (reporting not required)
- Complete an AOC
You might also have to submit a quarterly network vulnerability scan.
Advantages and disadvantages of PCI DSS compliance
While there are some costs to setting up and maintaining PCI DSS, they’re much smaller than the problems a data breach can cause. And PCI DSS compliance builds trust with your customers, making the investment well worth it. Here’s what you can expect:
Advantages of PCI DSS
- Fewer security headaches: Stronger data security makes it harder for hackers to steal customer information, which equals less stress and fewer disruptions for your business.
- Stronger customer relationships: Complying with PCI DSS shows customers you’re committed to protecting their financial information, which builds trust and loyalty.
- Reduced costs down the line: Avoid the hefty fines, costly lawsuits, and reputational damage associated with data breaches by proactively safeguarding sensitive data.
Disadvantages of PCI DSS
- Setup costs: PCI DSS compliance involves upfront costs for security tools and employee training.
- Ongoing management: Keeping PCI compliance requires regularly checking your systems, updating security protections, and making sure employees stay up to date.
- Changing landscape: Evolving threats and advances in technology mean the industry is always changing, and businesses must adapt to keep up.
- Complexity: The specifics of PCI DSS can get complicated. Depending on your business size and type, you might need help from a professional to set it up right.
PCI DSS compliance best practices
Here are some key best practices to help you stay compliant and handle customer payment information securely:
- Restrict access: Private customer data should remain on a need-to-know basis. Only employees who need it for their job duties should have access to cardholder data.
- Build strong defenses: Invest in security tools like firewalls and anti-virus software to protect your systems, and update them regularly.
- Keep it separate: A secure network infrastructure involves segmenting networks to separate cardholder data from other parts.
- Keep it encrypted: When storing or transmitting customer data, use encryption to scramble the information, making it unreadable to unauthorized users.
- Perform regular check-ups: Keep systems and software up to date with security patches.
- Train your teams: Educate and train your employees on data security best practices to avoid accidental breaches.
- Enforce strong passwords: Enforce password complexity requirements and regular password changes, and set up two-step authentication.
- Keep audit logs: Maintain detailed audit logs to monitor system activity.
- Have a plan: Develop a plan to respond to security incidents quickly and effectively.
- Make it official: Establish a company-wide information security policy that covers how you handle and protect cardholder data.
Remember, PCI DSS compliance is an ongoing process. By following these best practices, you can significantly reduce the risk of data breaches and protect your business and your customers.
Stay compliant with Shopify Payments
Good news for Shopify sellers: We’ve done the work for you. Shopify is PCI DSS compliant, and that extends by default to all stores powered by Shopify.
That means, we securely store your customers’ billing and shipping information on PCI-compliant servers. We validate compliance through annual assessments and proactively manage ongoing risk. Our compliance covers all six PCI standard categories and applies to every store using our platform.
In short, when you choose Shopify to power your store, you can rest easy knowing that we’ve invested significant time and money to maintain our Level 1 PCI certification and protect every transaction. Your store, its shopping cart, and its web hosting are all covered.
PCI DSS FAQ
What does PCI DSS mean?
Payment Card Industry Data Security Standard, or PCI DSS, is the information security standard used to handle credit cards from major card brands like Visa, Mastercard, American Express, Discover, and JCB. The standard helps prevent data breaches, fraud, and identity theft by establishing best practices for payment security. While not legally mandated, organizations that process card payments are contractually obligated to meet the requirements.
What are the 4 things that PCI DSS covers?
PCI DSS covers four main areas:
- Processing digital transactions and payments using cards
- Storing payment card data
- Transmitting cardholder information
- Securing the card processing environment, including POS devices, providers, and acquirers.
What is PCI DSS required for?
PCI DSS applies to all organizations that process, transmit, and/or store payment card information, no matter the size or number of transactions. It also contains requirements for the card-processing environment itself, including point-of-sale (POS) devices, servers, networks, service providers, and third-party payment processors.