Does your business accept payment via credit card? If so, you will likely need to be PCI compliant. This article provides a step-by-step guide for beginners on what PCI compliance is and how to get your business PCI compliant.

1. What is PCI DSS?

The PCI Security Standards Council (the "Council") was founded by large players in the credit card industry to maintain Payment Card Industry Data Security Standards (PCI DSS) for all entities that store, process, or transmit cardholder data. The Council manages the ongoing evolution of the PCI security standards while focusing on improving payment security.

2. What cardholder data is protected?

The Council defines 'cardholder data' as the Primary Account Number (PAN) or the PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service Code

3. Who needs to be compliant with PCI standards?

If you are a merchant who accepts or processes payment cards, you will likely be required to follow PCI compliance rules. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data.

4. What are the consequences of being non-compliant?

Fines can be anywhere from $5,000 to $100,000 per month. This depends on the size of the merchant's business and the degree of noncompliance. To determine liability, the merchant's level of PCI DSS compliance will be investigated.

5. How do I become PCI compliant?

PCI DSS compliance requirements as listed on the Visa Canada website:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

With data breaches becoming more and more common, cybersecurity, which necessarily includes PCI compliance, is becoming more of an issue. Don't wait until it is too late. Get your business to become PCI compliant today.

Siskinds has extensive experience acting on behalf of clients ranging from start-ups to multi-national organizations. Our team is ready to help your business solve any PCI compliance, data protection, and cybersecurity issues that you encounter.

This article was written in collaboration with lead co-author Andrea E. Ricci, student-at-law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.