It is crucial for all businesses that take payment by card to be PCI DSS compliant. Individuals can become qualified as a PCI Professional through a training course, and businesses can pay to achieve compliance through assessment each year. We take a look at what PCI DSS compliance entails, what is required and how to become compliant, as well as an alternative to the costly and timely process of seeking compliance yourself.
What is PCI DSS?
Standing for Payment Card Industry Data Security Standards, PCI DSS is a security regulation that applies to businesses of any size if they accept payments by card. Accepting card payments involves cardholder data being stored, processed and transmitted by your company, and using a PCI DSS compliant system ensures that this data is handled securely. The regulations are in place to help prevent fraud and data breaches. You can find out more about PCI DSS compliance requirements here.
It is important to ensure your business remains PCI DSS compliant regardless of size, as noncompliance will typically result in a fee. Risking a data breach can also be particularly damaging for your brand’s image and can result in a substantial fine. The specific requirements needed for PCI compliance depend on the size of your business.
What Are the PCI Compliance Levels?
There are four categories of PCI compliance, dependent on annual transaction volume. Level 1 is the highest level and is for sellers that process over six million transactions in a 12-month period. This level is also applied to those who have experienced a data breach in the past that has led to account data becoming available. Level 1 companies will be required to face an assessment or audit, known as a Report on Compliance, each year by a Qualified Security Assessor. They will also need to undergo an Approved Scan Vendor network scan each quarter, as well as completing an Attestation of Compliance form.
Level 2 is for sellers that make between one and six million transactions a year. Level 3 refers to businesses that process between 20,000 to one million ecommerce transactions a year. Level 4 is for sellers that process less than 20,000 transactions through ecommerce a year, and certain other sellers that receive up to one million transactions in a year. For each of these levels, sellers will need to complete the PCI DSS Self-Assessment Questionnaire, pass a vulnerability scan with a PCI SSC Approved Scanning Vendor and complete an Attestation of Compliance form.
What is PCI Professional Training For?
If you work in industries such as information security, finance or ecommerce, then you can become a PCI Profesional on a training course dedicated to gaining an understanding of PCI standards. This is an individual qualification, rather than a certification that can apply to a whole business, however, with a trained staff member, you can ensure that your organisation has knowledge of how to apply PCI standards and remain compliant.
The course will take you through the principles of PCI DSS, PA-DSS, PCI PTS, and PCI P2PE, giving you a clear understanding of the PCI DSS requirements. It can also teach you how to undertake a Self-Assessment Questionnaire for your company, as required for Level 2, 3 and 4 merchants.
To become accredited as a PCI Professional, you will need to undertake an eLearning course through the PCI Security Standards Council and pass an exam. Requalification is then required every two years.
What Does PCI Compliance Cost?
The amount you pay to become and maintain PCI compliance depends on the size of your business, and the level you fit into. For example, a Level 1 business could expect to be paying upwards of £50,000 a year to remain compliant, as this goes towards the network scans, annual reports and Attestation of Compliance. Level 2 companies would be paying between £8,000 and 40,000 to remain compliant, depending on the size of their network, with a level 3 company incurring costs starting at £1,000. A Level 4 company would be paying upwards of around £700 a year to remain compliant for network scans and the completion of self-assessments.
Hostcomm Can Take Care of Your PCI Compliance Without the Fuss
While your business can take on the compliance of its PCI DSS regulations, as you can see, this can be complicated and expensive, with regular training and costly assessments required. Luckily, you don’t have to take on this task of compliance alone. Our Hostcomm solutions are all PCI DSS compliant, allowing your contact centre to be descoped. This will mean you do not have to seek validity of your compliance through the processes detailed in this article for payments made through the Hostcomm services. Provided you use our system for the storage, processing and transmission of your customer’s data, then payments made through our solutions will be PCI DSS compliant.
Our integrated solution helps to deliver PCI DSS compliance at a reduced cost. Currently, many agent-assisted payments will use a DTMF tone suppression to take a secure payment; however, this can be costly. Furthermore, some customers find dialling out their details timely or do not trust the system, which can lead to dropped calls. Hostcomm’s Contact Centre and Payment IVR Solution eliminates these issues and costs, offering improved payment closure rates and allowing you to start taking secure payments immediately. Plus, our PCI DSS Level 1 Service Provider certification is applied to the entire network, not just the payment IVR, offering protection to all of your customer data to high standards.
If you would like to learn more about how Hostcomm can help your business achieve PCI DSS compliance in the UK, then please get in touch today!
