The Payment Card Industry Data Security Standard, better known as PCI DSS, is a global security-standard for accepting and processing credit cards. Launched in 2006 by an alliance of major credit card companies, PCI DSS encompasses 12 key requirements as well as more than 400 sub-requirements and test procedures.
Being PCI-compliant requires not just meeting these requirements but continually identifying, documenting, and (if necessary) remediating business-level systems and processes that involve the handing of user credit card data.
Who is subject to PCI DSS?
PCI DSS requirements must be fulfilled by any party responsible for storing, processing, or transmitting an individual’s credit card data. It applies to all organizations that handle credit card data, including online merchants.
Although most business subject to PCI compliance are only required to self-report, the costs of PCI failures can be crippling. When merchants sign a contract with a payment processor, they agree to pay fines if they do not comply with PCI DSS. Depending on the payment processor, fines can range from $5,000 to over $100,000 USD per month based on the size of the merchant and the extent of non-compliance. Actual customer data breaches can, of course, be even more devastating.
Understanding your PCI scope
A key concept when it comes to PCI DSS is a merchant’s “PCI scope” – the extent to which a merchant actually interacts with the customer’s payment data, and the responsibility the merchant therefore assumes for safeguarding it according to the PCI requirements.
As a PCI Level 1-certified payment processor, PayU offers merchants a variety of ways to reduce PCI scope, limit responsibility and risk, and remain complaint.