While not a legal requirement, PCI compliance is considered a necessity for anyone who processes, stores, or transmits payment information.
Large enterprise companies will often require PCI compliance before considering a vendor RFP or signing a contract.
A merchant directly accepts customer payments for goods and services.
A service provider may not directly accept payments, but comes into contact with payment data.
Merchants are classified as Levels 1 through 4.
Service providers are classified in two levels.
Level 1 Merchants and Level 1 Service Providers must take on the PCI assessment cost of an onsite audit performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to deliver a Report on Compliance (ROC).
Level 2, 3, or 4 Merchants and Level 2 Service Providers complete a Self-Assessment Questionnaire (SAQ) via a qualified internal resource or team, purchase a vulnerability scan, and sign an Attestation of Compliance (AOC) form.
Two types of costs you could incur include costs to implement the PCI DSS standards,and costs to certify or document your compliance.
Costs vary from one business to another based on the size of your organization, the sizeof your network, your organization’s current security readiness, the number oftransactions you process annually, and other factors.
Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an Information Security Policy
Transform manual data collection and observation processes into automated and continuous system monitoring.