back
As cybersecurity becomes more important, businesses accepting credit or debit card payments must do all they can to be PCI compliant.
Since top credit card companies created the Payment Card Industry Security Standards Council (PCI-SSC) in 2006, the concept of PCI compliance has grown in importance as businesses battle rising cybersecurity threats.
The growing emphasis on PCI compliance is a recognition of the fact that cybersecurity remains the most important factor that will either enhance or hinder the digital payments revolution.
A cyber attack takes place every 39 seconds and there are more than 800,000 cyber attacks every year, according to data curated by Astra Security, a cybersecurity firm. Furthermore, the global economy was estimated to have lost a whopping $8 trillion to cyber attacks in 2022, according to Evolve Security.
In a bid to protect consumers, PCI compliance standards require that businesses who collect credit or debit card payments implement certain security measures and conform to certain requirements.
Implementing the standards demanded by PCI-SSC is not easy for businesses, especially the small ones, who might find it difficult understanding what the standards are all about and/or how to execute them.
In what follows, we will explain in easy-to-understand terms what PCI compliance is all about and what small businesses can do to be PCI compliant. We’ll cover the following:
[Do you want to accept payments in Kuwait in the most convenient way possible while staying compliant with Kuwait’s payment standards? Sign up for Kem for instant, P2P, and contactless payments.]
Simply put, PCI compliance means that a business processing credit or debit card transactions has adhered to the requirements and standards, also known as PCI-DSS (payment card industry data security standards), set by the PCI-SSC.
However, while the PCI-SSC sets the standards, they are not the ones who enforce the standards on businesses. In between the PCI-SSC and the businesses accepting card payments are at least two other stakeholders:
They do this by setting validation requirements that depend on the category level that a merchant falls into.
PSPs and MSPs do this by including these standards in the terms and conditions they impose on businesses who want to work with them. Since these businesses cannot collect card payments without either of these platforms, they need to conform to these terms and conditions (which are expressions of the original PCI-SSC standards).
Since merchants vary by the volume of transactions they perform, the level of compliance required also varies. Card networks typically divide compliance levels into 4 (Level 1-4), with Level 1 being the most rigorous.
For Visa and MasterCard (two most popular credit card brands in the world), the division is as follows:
Source: Accountable HQ
Validation requirements for those belonging to Level 2-4 consist of:
However, for those in Level 1, self-assessment is not permitted. Instead, there must be an annual Report on Compliance (“ROC”) which will be done by a Qualified Security Assessor (“QSA”) or internal auditor.
These validation requirements show that PCI-DSS compliance is not a one-off issue; assessment and remediation must happen yearly for merchants to maintain a compliant status.
There is no regulatory mandate for PCI compliance that will make it a legal requirement imposed by the government; therefore, non compliance in itself is not illegal.
However, as we have seen, non compliance can prevent a merchant from being accepted by a payment service provider or a merchant service provider.
Furthermore, merchants that are non-compliant can be fined by card networks. “Regulatory bodies take data security very seriously, and non-compliance can result in substantial fines, far outweighing the investment needed to achieve and uphold it,” according to Easy Llama, a firm training organizations on how to create safe workplaces.
Also, “non-compliance can expose businesses to legal liabilities, particularly if a data breach results in the theft of sensitive customer data. The aftermath of such incidents may lead to lawsuits from affected customers and other parties seeking compensation for damages incurred.”
Furthermore, security breaches that result in losses for customers can lead to a loss of customer’s trust and bad PR.
In essence, while non-compliance is in itself not illegal, it can result in substantial legal liabilities and business loss when customers' debit or credit card information is stolen while they are trying to pay you.
We have talked a lot about PCI-DSS, but what exactly are these standards?
Below are the 12 requirements identified by the PCI-SSC:
Source: ADKtechs
CCTV cameras can be installed in those business areas and/or entry and exit can be electronically controlled so that only those with prior permission can access them.
Internal and external penetration testing must also be executed annually.
Also, merchants must use testing to validate any segmentation and scope-reduction controls.
While these 12 requirements are very clear on what merchants need to put in place, implementing them can be difficult.
Card networks have made this easier by providing self-assessment questionnaires (SAV) which serves as a PCI-DSS compliance checklist that merchants can use to assess how well they are doing.
At the moment, there are 9 different types of SAVs. The one a merchant will use depend on the type of payments they collect:
SAQ A is also used by organizations that have outsourced all cardholder functions (storing, processing, transmission) to a PCI-DSS compliant third party.
They can be brick-and-mortar stores or mail and telephone order merchants, but not ecommerce merchants.
For an example of how these questionnaires help businesses better implement the 12 requirements, consider the following pages from SAQ A:
The first column contains the 12 PCI-DSS requirements with each one divided into its component parts. For each component part, the second column shows the step(s) that the merchant needs to take to ensure compliance.
On the last column, the merchant can check whether the requirement is in place, not in place, not applicable or in place with CCW (the requirement has been met with the assistance of a compensating control – used when certain constraints made it necessary to use an alternative control instead of the original control required).
So, how can you as a small business achieve PCI-DSS compliance?
The first step is to identify which level you belong to by evaluating the number of card transactions you complete in a year.
After that, you must choose the SAQ that applies to you based on the type of card payments you collect.
Thirdly, you must review all the 12 requirements and start using the applicable SAQ to identify the steps you need to take to comply.
At this stage, you must decide if you have the capacity to comply all by yourself or you need some third-party agent to assist. There are Qualified Security Assessors that can help you design and implement security controls that will meet PCI security requirements.
Fourth, you will need to do a quarterly network scan with one of the Approved Scaning Vendors provided by PCC-SSC.
It is worth noting that PCI compliance is easier if you are working with a PSP instead of a MSP. In addition to removing the need for you to have your own merchant account, PSPs also take charge of the implementation of some of the compliance requirements leaving you with much less to do.
Another way to make compliance easier, as a small business, is to work with P2P online payment platforms like Kem that support C2B (customer to business) payments.
With Kem, your customers will pay you by transferring money from their wallet to yours or by scanning your QR code both online and offline.
Since Kem handles the processing of money from customers’ credit and debit cards to their wallets, the responsibility for PCI compliance lies with them and not you (since you don’t store customers’ credit or debit card data). All you need do is meet any terms and conditions Kem requires for you to operate an account with them.
And Kem has embraced that responsibility by being PCI-DSS Level 1 (the most rigorous) compliant. This means that it can safely process credit and debit card payments through its platform.
Similarly, inter-wallet transfers across its platform are safe because Kem uses cutting-edge encryption and fraud detection technology powered by AI to make sure your data and money is safe and secure. All in all, Kem provides a secure payment system that SMEs in Kuwait can use.
If you are a small business who doesn’t have the capacity to set up your own payment infrastructure and meet the necessary compliance requirements, you can get started by working with Kem.
[Are you a small business in Kuwait that wants to easily accept payments from your customers while remaining PCI compliant? Sign up for Kem for convenient P2P, instant, and contactless payment.]