Is PCI Compliance Required by Law?
A payment card is a branded debit or credit card that is electronically linked to an account and used to pay for products and services. Businesses need to pay special attention to the way they handle these payments, as negligence in this area can be detrimental to your company's reputation. This means that organisations must adhere to the industry requirements set by the PCI Security Standards Council, the Payment Card Industry Data Security Standard (PCI DSS).
Who needs to be PCI compliant?
Any entity that stores, processes or transmits cardholder data should comply with PCI DSS. PCI compliance is split into four levels, and the exact requirements for each depend on your business' annual transaction volume.
There are four main types of businesses that must be PCI compliant, including:
- Merchant: A merchant accepts a payment card from a cardholder in return for products and services.
- Service providers and third parties: A service provider or third parties such as payment service providers and software vendors. These entities store, process or transmit cardholder data on behalf of a merchant.
- Financial institutions: A financial institution processes, stores and transmits payment card data when carrying out transactions such as investments, loans and deposits. These include entities such as banks, insurance companies, investment dealers and brokerage firms.
- Card schemes: Card schemes set and comply with the PCI DSS standards.
However, if you choose to use a payment gateway, the payment provider takes responsibility for PCI compliance. They are obligated to protect and encrypt any data, especially if it is entered into your website. When choosing a payment gateway, it's important to consider how high their PCI levels are to ensure that payments processed on your page will be properly protected.
Merchant and Service Provider Levels
Merchant and service provider levels give a ranking relating to annual transactions. This ranking determines the risk level of a merchant or service provider, and the appropriate level of security for their business. This also determines the assessment and validation requirements for each merchant and service provider. A merchant will have four levels, whilst a service provider has two.
There are also fees to become PCI compliant. The extent of these costs depends on the size of your business, the level of security you already have in place and the technology you use. You may need to address or upgrade some of these things in order to make your business completely PCI compliant.
What does the law state around PCI compliance?
Technically, compliance with the standards for PCI DSS is not required by law in the UK. However, non-compliance often leads to hefty fines set by the payment brand. The size of the fine will vary depending on the number of card transactions processed. It's also important to note that data losses often involve the loss of personal data, which means breaching the Data Protection Act 1998. The Information Commissioner's Office (ICO) has enforcement powers to impose fines of up to £500,000 for this. Therefore, whilst PCI compliance isn't officially mandatory, you should regard compliance with the same level of responsibility and vigilance as you would a legal requirement.
Why is PCI compliance important?
PCI compliance is often regarded with a level of apprehension, as there is still a sense of ambiguity surrounding the various associated procedures and risks. Whilst it isn't a law, reports suggest that in 2015, 90% of organisations suffered data security incidents. This highlights how no business is immune to problems with PCI DSS, so it's essential that your payment processing life cycle is secure.
If you have suffered from data compromise, you are obligated to communicate with a PCI Forensic Investigator (PFI) in order to establish the source of the breach. This can cost thousands of pounds, which you will liable for if the investigator finds evidence of non-compliance. You may also be required to pay Card Scheme fines, which are passed to the acquirer then to the merchant. These fines can be so great that merchants are forced to stop trading.
As well as fines, there are also fees associated with PCI non-compliance. If your business fails to comply with PCI standards, you could be at risk for data breaches, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more.
Even more important than the monetary dimension of PCI compliance is the inherent ethical obligation businesses owe to their customers. Consumers trust you with valuable personal information, and so being compliant with PCI DSS means that you're doing your very best to keep their data safe. If your business becomes affiliated with irresponsible management and control over data security, the consequent reputational damage will most likely lead to diminished sales and financial losses.
In 2010, the handmade cosmetics company Lush Cosmetics experienced the consequences of negligence towards PCI compliance. After placing online orders with Lush, several customers reported noticing fraudulent transactions in their bank accounts. Lush responded to this by releasing a 'Customer Notice' explaining that their website had been hacked and encouraging customers to contact their banks for advice. This prompted an investigation, which found that Lush hadn't taken adequate steps to protect their customers' data and had failed to undertake regular security checks. The retailer was found guilty of breaching the Data Protection Act 1998 (DPA) and fined. Perhaps more significantly, however, they lost the trust and confidence of many customers.
Becoming PCI compliant and maintaining that compliance might seem like a lengthy process. Meeting industry standards often means negotiating many complex procedures including implementing security controls and hiring an expensive third-party consultant to install costly software and hardware. However, Lush is a prime example of the disastrous consequences faced by businesses that don't respond to PCI DSS responsibly.