As technology advances, so do payment methods. We have already talked about the different possibilities that we can find today as alternatives to cash, such as payments through wearables, invisible payments or even payment by voice. Although each one works in a different way, they all have something in common, and that is the security they offer in transactions for users and their personal data.
Thanks to the standards and security parameters that the companies in charge of offering these services have applied through the PCI DSS (Payment Card Industry Data Security Standard) regulations.
In this sense, in the following article we will tell you about the origin of this regulation, what it consists of and what requirements must be met to become PCI Compliance and be able to process credit cards in your business.
What is PCI DSS?
The acronym PCI DSS stands for Payment Card Industry Data Security Standard, that is, The Data Security Standard for the Payment Card Industry. In other words, PCI DSS certification is a basic certification with the aim of improving the security of online payments by protecting user data.
Its origin lies in the union of the 5 major payment card brands worldwide, known as the Payment Card Industry Security Standards Council (PCI SSC), to protect the ecosystem of card payments: American Express, Master Card, Visa USA, Discover and JCB International.
Until 2005, each of these companies had their own security standards, very similar to each other, but after detecting some security gaps, they saw the need to create the first draft of this regulation that focused on 3 fundamental aspects:
- The safe handling of the reception and transmission of consumer card data.
- The safe storage of data following the 12 points that we tell you below.
- Verify annually that the standards are applied correctly through audits, security controls or any other system to maintain the security of the system.
Who must comply with PCI DSS?
As we have already mentioned, the PCI DSS regulation is mandatory for any entity, organization or company that processes any type of credit card transaction. Although we tend to think that this regulation is aimed at banks or acquisition companies, that is, companies that affiliate merchants so that they can accept payment cards as a means of payment, as we have already said, any merchant has to comply with it in order to be able to accept card payments from their customers. Therefore, it is very important that you take this into account when hiring your payment provider, making sure that it complies with the regulations as it should. The data of the cardholder (Cardholder Data) that must be protected, whether for storage, processing, transmission or authentication, are:
- Primary Account Number (PAN)
- Cardholder Name
- Expiration Date
- Service Code
As well as the data for authentication such as:
- Magnetic stripe and/or chip data
- CVV or CVC card verification code
- Personal identification number and PIN blocks
How to be PCI Compliant?
Being PCI Compliance consists of complying with the current PCI DSS regulations. As we show you in the following image, this is collected in 6 groups which include a total of 12 mandatory requirements that every company that is dedicated to processing payment cards must meet to achieve certification.
SAQ and PCI DSS
Although many businesses currently choose the route of contracting the services of certified payment gateways so that they are the ones that carry out the entire PCI DSS evaluation process and its correct application, there is a tool to certifies that the business is PCI Compliance and suitable for processing card transactions.
It is known as SAQ (Self-Assessment Questionnaire). This is nothing more than a tool as a “checklist” that certain businesses and service providers can access (depending on their volume of annual transactions) to demonstrate that they comply with the regulations.
But can any business or service provider access it? No, it will be the acquisition companies, authorized centers or service providers who notify their associated businesses of the need to make a report through the SAQ.
What happens if PCI DSS is not complied with?
As we mentioned before, any entity involved, directly or indirectly, with the processing of credit card payments has the obligation to apply the aforementioned dimensions and the requirements that are demanded of them. And you will wonder what happens if I do not comply? In addition to the loss of trust on the part of customers and possible reputational problems with the brands with which you collaborate, as you can imagine, there will be a series of fines and extra costs for not having complied with it at the time.