Credit card security is a top priority for everyone in the payments industry, especially in the wake of the global pandemic, which saw cyberattacks explode as everything from shopping to work to education moved online. PCI compliance is one of the primary ways merchants and payments service providers protect against cyberattacks and data breaches, and it’s extremely important that your ISO and your merchants understand it. 

Unfortunately, PCI compliance is a complex subject that can be difficult to navigate, especially for newer ISOs and smaller merchants. With that in mind, the following is a quick primer on what PCI compliance is, what it means for your business, and how you can help your merchants.  


What is PCI Compliance?

The Payment Card Institute Data Security Standard, or PCI-DSS for short, is a set of security protocols published and enforced by the Payment Card Institute Security Standards Council (PCI-SSC) – an organization made up of American Express, Discover, JCB International, MasterCard, and Visa. The goal of the PCI-DSS is to standardize security to help ensure sensitive customer payment data doesn’t fall into the hands of bad actors. PCI compliance is the process of meeting the 12 security standards set out under the PCI-DSS.

PCI-DSS lays out a set of standards for both digital and physical security that must be followed by all companies handling card data or involved in the payments process. The extent of compliance depends on a number of factors, including how companies handle credit card data, their annual sales, their technology stacks, and more. Companies that are required to meet PCI standards and don’t are subject to significant fines from the card companies and also increase their risk of being held liable for an expensive data breach.  

How Do Companies Become PCI Compliant?

The PCI-DSS has 12 basic requirements that businesses have to meet across six security goals:

Build and Maintain a Secure Network and Systems 1. Install and maintain network security controls 
2. Apply secure configurations to all system components
Protect Account Data 3. Protect stored account data 
4. Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems and networks from malicious software 
6. Develop and maintain secure systems and software
Implement Strong Access Control Measures 7. Restrict access to system components and cardholder data by business need to know 
8. Identify users and authenticate access to system components 
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Log and monitor all access to system components and cardholder data 
11. Test security of systems and networks regularly
Maintain an Information Security Policy 12. Support information security with organizational policies and programs

Source: PCI DSS 4.0 Quick Reference Guide


Meeting the 12 requirements is the first step in becoming PCI compliant. But PCI compliance is not a static process – it’s an ongoing one that requires constant monitoring and updating over time. Once a company has met the 12 requirements above, they must complete regular self-assessment questionnaires (SAQs) and official attestations of compliance (AOCs). Full information on the compliance process is available through the PCI-DSS Resource Hub. 

The complexity of meeting the 12 requirements above and the type of assessments required are determined by where and how a company handles and stores sensitive credit card and customer data. Since every merchant and service provider will have a unique mix of systems and business practices, PCI compliance must be treated as a highly individual process for each company in order to ensure nothing slips through the cracks. 


Does Your ISO Need to Be PCI Compliant?

While most experienced independent sales organizations are very familiar with the importance of PCI compliance, some new ISOs occasionally question whether or not the PCI standards apply to them, since they’re generally not actually handling or storing end-customer credit card data.

While it’s true that PCI-DSS is generally designed primarily to help protect customer payment data being handled or stored by merchants, the PCI-SSC goes out of its way to make clear that PCI compliance is required for not just companies handling, transmitting, or storing payment data, but all companies involved in payments, as well – including processors, acquirers, and service providers. That wide net means that even brand new ISOs need to ensure they’re PCI compliant immediately. If your ISO doesn’t have the security expertise necessary to ensure compliance in-house, it’s a good idea to hire a firm to assist with it, since failure to comply could theoretically cost you hundreds of thousands of dollars in monthly fees. 

PayFacs vs. ISOs

Payment facilitators – the newer type of service provider walking the line between ISO and processor – arguably need to put even more importance on PCI compliance than independent sales organizations. Because PayFacs sign contracts directly with their merchants and, in effect, act as their processor, there is an even greater risk of being held accountable for hacks or data breaches resulting from failure to meet the 12 PCI requirements. 


What Does PCI Compliance Mean for Your Merchants?

Ensuring your independent sales organization meets PCI compliance standards is an important step towards minimizing your company’s liability, but helping ensure your merchants are PCI compliant should also be a high priority. Because your merchants handle and store customer payment data so regularly, it’s far more likely one of them will be the victim of a cyber attack and/or data breach than your ISO. Regardless of whether any potential liability could follow for your ISO, data breaches – and even just the fines for failing to comply – are exceptionally costly and could easily put one of your merchants out of business – drying up a revenue stream while simultaneously putting you on shakier ground with the card companies. As a result, it’s in your ISO’s best interest to ensure your merchants’ compliance is looked after. 

PCI Compliance Protects Your Merchants from Fines and the Costs Associated with a Data Breach

The card companies take PCI compliance very seriously, and for good reason. Unsurprisingly, companies that fail to comply face potentially steep fines. Merchants or payments companies caught failing to comply face penalties of up to $10,000 per month for the first three months of non-compliance, up to $25,000 for months four to six, and up to $100,000 per month for non-compliance lasting seven months or longer. All large ISOs ensure compliance to avoid these fines, but for an average merchant or new ISO, the consequences of non-compliance could easily be incredibly destructive. 

Beyond just the monthly fines levied by the card companies, failing to achieve PCI compliance greatly increases the risk of a data breach – an even more expensive proposition. According to IBM’s annual Cost of a Data Breach report, in 2022, the average data breach in the United States costs $9.44 million dollars. While that number is certainly skewed by large breaches, particularly in health care, small businesses are regularly targeted by cyberattackers, and many merchants would have little to no chance of surviving a multi-million dollar breach. 

Simply put, failing to become PCI compliant is something neither your ISO nor your merchants can afford. 

PCI Compliance Assistance is a Service Your Merchants Needs

PCI compliance is complex, which means your merchants are highly likely to need education on it and assistance in completing it. Without education, many merchants won’t even know it’s expected of them, and without assistance, many well-intentioned merchants will fail to correctly secure their systems and processes – a big problem, since when it comes to the PCI-DSS, there are no part marks for getting it almost right. 

Your ISO should seriously consider launching an in-house PCI compliance program that sees experts on your staff guide merchants and clear up any confusion they might have, or, at a minimum, find a partner company that can handle that job for you. You can make PCI compliance a paid service, but, if you do, take extra care to ensure your in-house team are truly qualified PCI experts, since charging for the service could potentially risk liability for your ISO in the case a company you’ve advised still fails to meet the standard, or worse, falls victim to a data breach. A better option may be to simply offer PCI assistance as a value-added service included with your merchants payment processing package at no additional cost. 


You can also use software tools to help you monitor your portfolio’s PCI compliance to ensure non-compliant merchants don’t slip through the cracks and cause problems. For instance, IRIS CRM offers PCI compliance integrations that can help your ISO monitor the compliance status of your overall portfolio and each of your merchants individually. Reports update each morning to ensure that at-risk merchants can be identified as soon as a vulnerability arises. And, as a service provider, IRIS CRM is also fully PCI compliant, ensuring it’ll fit into your ISO’s tech stack seamlessly with no risk of PCI complication. 


To find out more about how IRIS CRM can help your ISO manage and promote PCI compliance, reach out to a member of the team or schedule a free guided demonstration today.