With the advancements made in payment systems space over the last few years, the purchase of goods and services is frequently done with the use of payment cards. Thus, whether you are swiping, inserting, or placing your card on a scanner, payment cards have transformed the way we transact business. Vendors or merchants who accept payment cards usually enter contracts with payment processors and banks for the processing of payments through their channels. One of the key conditions in these contracts is that the vendor/merchant must be compliant with the Payment Card Industry Data Security Standards ("PCI DSS").

The question that logically follows is what is the PCI DSS? In this article we explain what the PCI DSS is, the requirements that must be met to comply with the standards and the consequences of breaching the PCI DSS.

What is the PCI DSS?

The PCI DSS are the operational and technical requirements for organisations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions₁. It is a unified set of security requirements aimed at keeping cardholder data secure from data breaches and financial fraud₂.

The PCI DSS are set by the Payment Card Industry Security Standards Council ("PCI SSC"), founded by American Express, Discover, JCB International, MasterCard and Visa Inc. and they assist merchants and financial institutions achieve the following:

1. understand and implement standards for security policies;
2. understand technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data; and
3. understand and implement standards for creating secure payment solutions₃.

Who does it apply to?

The PCI DSS is applicable to every entity that processes or accepts payment cards. It also applies to entities that store, transmit or process cardholder data or authentication data such as Know Your Customer Data for cardholders₄. There is no exception to its application as even merchants who process small volumes of transactions are expected to comply with the standards.

There have been arguments made in some quarters that since the PCI DSS is not a legal obligation or legal requirement, compliance should be optional. However, as stated earlier in this article, vendors are required to comply with all their contractual obligations, including fulfilling any obligations related to PCI DSS. Furthermore, complying with the PCI DSS signals that the entity has exercised reasonable care in performing its functions and can be used as a strong defence should allegations of data breaches be levied against the organisation.

In Nigeria, the Central Bank of Nigeria ("CBN") makes compliance with the PCI DSS mandatory for card schemes, payment gateway, payment processors and other relevant stakeholders in the ecosystem. 

The Guidelines on Operations of Electronic Payment Channels in Nigeria, as well as the Guidelines for Card Issuance and Usage in Nigeria, stipulate that all industry stakeholders who process and/or store cardholder information shall ensure that their applications and processing systems comply with the minimum requirements and standards, the minimum standard being PCI DSS certification₅. This therefore brings a lot of fintech companies within this umbrella as they process and store cardholder information to consummate transactions.

PCI DSS Requirements

The PCI DSS is divided into 6 goals and an entity must achieve each goal to be PCI DSS compliant. To realize the goals, 12 requirements must be met.

The PCI SSC does not enforce compliance with the goals and requirements as compliance is usually done through contracts with payment processors and banks as earlier stated in this article. However, the PCI SSC recommends a three-step process for compliance₇, and even has accredited assessors who can assess if an entity is compliant with the standards. Where an entity cannot afford to hire an assessor, the PCI SSC has self-assessment forms and procedures for organisations and companies that want to implement the standards.

The PCI SSC recommends that entities should not treat compliance as an annual event; rather they should monitor compliance continuously to maximise the security of the cardholder data the entity possesses₈. In Nigeria, non-compliance with the PCI DSS will attract appropriate sanctions from the CBN₉. Therefore, to avoid such penalties, merchants and entities should ensure they are compliant with the standards.

Consequences of Breaching the PCI DSS

Though some countries are considering legalising the standards, (Nigeria's CBN has already made compliance mandatory), there are also some consequences that push entities into obeying the requirements of the standards and they include the following:

Fines

Major payment processors or Card Schemes like MasterCard or Visa have a schedule of fines that are meted out to entities that are non-compliant with the PCI DSS. Some contracts that the Payment Card Brands have with entities that process card holder data even specify that a fine can be imposed where it seems that a breach is likely to occur. Also, non-compliance or a breach of the standards in Nigeria will attract fines from CBN.

Costs

where a data breach occurs, the contract the entity entered with a Payment Card Brand or Bank, may stipulate that the company or organisation must carry out an audit to investigate whether or not it is PCI DSS compliant. Investigative costs are quite expensive and small merchants may suffer a huge amount of loss due to the investigative costs. Also, entities can incur hardening and demonstration costs after a data breach as the contracts or agreements will most likely impose an obligation on them to report, engage and show how they have rectified the data breach.

Conclusion

All entities that handle cardholder data should be aware of the PCI DSS and strive to be compliant with the standards. Compliance with the standards outweighs the consequences of breaching them and entities should try to limit their liability for data breaches as much as possible by strongly considering being obedient to the PCI DSS and use acquiescence with the standards as a measure of how responsible they are with all card holder data they store or process.

Footnotes 

1. https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security. Accessed 11 November 2020.
2. https://www.lexology.com/library/detail.aspx?g=6c3deb36-5832-4e2c-80a0-c25f97d39a9a. Accessed 11 November 2020
3. https://www.pcisecuritystandards.org/pci_security/. Accessed 11 November 2020.
4. https://www.lexology.com/library/detail.aspx?g=94f604cc-acac-4d26-ac74-b9e329db1067. Accessed 11 November 2020.
5. Paragraph 3.2
6. https://www.pcisecuritystandards.org/merchants/process. Accessed 12 November 2020. For a more detailed version of the goals and the requirements of the PCI DSS see the current version of the Standards here.
7. https://www.pcisecuritystandards.org/pci_security/how. Accessed 12 November 2020.
8. https://www.pcisecuritystandards.org/pci_security/how. Accessed 12 November 2020.
9. Paragraph 4.10 of the Guidelines on Operations of Electronic Payment Channels in Nigeria.