Accept Credit Cards? PCI Compliance Can Avert Breaches and Fines

Businesses were hit by 3,141 data breaches in 2015, and those are just the confirmed cases. As everyone knows, cyberattacks are on the rise, and each incident can damage both finances and reputations.

If your business accepts credit cards – or any form of payment card – card security compliance can help you beat the breach odds and avoid financial penalties. Meeting the industry’s PCI security standard is straightforward, and a smooth rollout is within reach if you follow the requirements.

Secure website

Who Controls PCI – and What it Means for Your Business

The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS or simply PCI, is a set of information security standards that is meant to cut the risk that cardholder data becomes compromised. It’s administered and managed by an independent group but enforced by the major card brands.

Businesses that don’t comply with the standard can expose themselves to significant financial risk. They can be hit with non-compliance fines that range from $5,000 to $100,000 per month, and in the event of a breach, an additional $50 to $90 for each cardholder whose data was compromised. The consequences may also include losing the ability to process credit card payments. On top of that, they may jeopardize customers’ trust that it’s safe to do business with them.

PCI DSS requires all businesses to:

  • Build and maintain a secure network and systems
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures 
  • Regularly monitor and test networks
  • Maintain an information security policy

For more detail on these steps, see the checklist below.

Compliance is a Project – But There’s Help

As you delve into making sure you’re PCI-compliant, you may want to enlist the help of third-party partners. Start by exploring the PCI solutions your acquiring bank and payment processor offers. There are also vendors that specialize in this area. And look at what service providers, such as your web hosting company, may be able to contribute. While all of these experts can help remove the guesswork and simplify the process, no one can sell you a silver bullet. Performing your own due diligence is critical to ensuring that all the components you choose will meet your needs.

Regardless of how you meet PCI requirements, you’ll also have to validate your compliance. Validation demands depend on your merchant level, which is primarily determined by how you accept payments (i.e., e-commerce vs. card-present transactions) and the volume of card transactions you process over 12 months. Other considerations — such as if your business has previously suffered a data breach — also factor into determining your merchant level. Be sure to check with your acquiring bank, payment processor or security solution provider to confirm your status.

"Ensuring your business is PCI-compliant...may save you from becoming another data breach statistic."

Based on your merchant level, validation requirements can include completing an annual self-assessment questionnaire or enlisting a qualified security assessor to conduct an on-site audit of your information security practices. You may also need to partner with an approved scanning vendor to run a quarterly network vulnerability scan and submit an attestation of compliance form.

Ensuring your business is PCI-compliant requires an investment in time and resources, but it may save you from becoming another data breach statistic. Requirements, compliance guidance and updates are available in the standards group’s latest Quick Reference Guide for the current version, PCI DSS 3.2.

For more information on PCI compliance, contact your SVB Global Treasury and Payments Advisor.  

Checklist: Your 13 Must-Do Tasks to Meet the PCI DSS 3.2 Standard

Build and maintain a secure network and systems
  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
  • Protect all systems against malware and regularly update antivirus software or programs.
  • Develop and maintain secure systems and applications.
Implement strong access control measures
  • Restrict access to cardholder data on a need-to-know basis.
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data.
Regularly monitor and test networks
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
Maintain an information security policy
  • Maintain a policy that addresses information security for all personnel.
  • Make the policy accessible for all employees to reference as needed.

Check out the PCI Security Standards Document Library for in-depth details. Your SVB Global Treasury and Payments Advisor can also connect you with helpful resources.

Related Content

Read more in our series about how to optimize your company's payments tools and processes on SVB's Payments Trends & Insights page.


©SVB Financial Group. All rights reserved. Silicon Valley Bank is a member of the FDIC and of the Federal Reserve System. Silicon Valley Bank is the California bank subsidiary of SVB Financial Group (Nasdaq: SIVB). SVB, SVB FINANCIAL GROUP, SILICON VALLEY BANK, MAKE NEXT HAPPEN NOW and the chevron device are trademarks of SVB Financial Group, used under license.

This material is provided for informational purposes only. The conclusions expressed are based upon limited information available to Silicon Valley Bank regarding your company's fraud detection and prevention programs, and should not be seen as a substitute for obtaining your own independent assessment of such programs. The security of your operating system and your procedures for conducting banking transactions with us remains your responsibility. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.   

About the Author

Jonathan Fuller is a global treasury and payments advisor with SVB’s Global Merchant Services team. A long-time resident of Massachusetts, Jonathan is based in SVB’s Newton office where he advises clients on the many merchant services and payment capabilities available through SVB. Known for his expertise in payments, e-payments and credit card solutions, Jonathan has a passion for helping clients develop their ecommerce payment strategy, especially in global marketplaces such as the U.S., Europe, Asia and Latin America. With more than 10 years of experience helping U.S. companies expand and accept payments outside the U.S., Jonathan is uniquely qualified to guide and advise SVB clients on the best solutions for their payment needs, and ways to monetize their products and services through payment features.

Prior to joining SVB, Jonathan held senior positions with global payment companies such as Vantiv, Adyen, RBS Worldplay and Chase Paymentech. Over the course of his career, Jonathan has not only gained a breadth of knowledge of both U.S. and non-U.S. payments, but also deep knowledge of international cross-border payment solutions.

Jonathan holds a bachelor’s degree from Framingham State University, is an active member in fintech and payments industry groups, and regularly attends industry events to share his knowledge, and also gather new learnings to enhance the guidance he can offer clients. When not working, Jonathan is active in the local community and coaches baseball and basketball.