What’s PCI compliance and why is it important?

What is PCI compliance?

To protect customer data, businesses should ensure they are PCI compliant. Following PCI requirements means implementing effective security standards that protect against common vulnerabilities and exploitation.

Payment Card Industry Data Security Standard (PCI-DSS), is the set of 12 security standards businesses must follow to secure and protect cardholders’ data.

Who must be PCI compliant?

Any company that accepts, transmits, or stores a cardholder’s private information must be PCI compliant. It doesn’t matter how the business receives payments, whether it’s primarily through transactions from accounts payable software, customer credit card transactions, or another form of payment processing; PCI compliance is the baseline security standard. 

Here’s an example; Let’s say you own a coffee shop and you’re looking for an easier way to pay your suppliers. You decide to use a digital B2B payments service to start paying your vendor, Calvin’s Coffee Beans. 

If you use a card to pay them, the payments platform must be PCI-compliant. Digital payment solutions will often use third-party card processors, which should also be compliant. 

We’ll go into more detail on how you can tell if a company is secure and at which level.

Who mandates PCI compliance?

The Payment Card Industry Security Standards Council (PCI SSC) is made up of members from five major credit card companies, who established the rules and regulations known as PCI. 

The PCI SSC is responsible for enhancing security practices related to credit card transactions by overseeing PCI compliance and providing organizations with a range of resources. 

Some of these include: 

• Self-assessment questionnaires (SAQ), which help to validate compliance.
• Lists for Qualified Security Assessors (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), Approved Scanning Vendors (ASVs), and educational programs for Internal Security Assessors (ISAs).

The PCI SSC updates the requirements for compliance every once in a while, with the most recent version released in March 2022.

Is PCI compliance required by law?

PCI DSS is a security standard, not a law, meaning compliance is not determined or enforced by the government. 

However, businesses that do not comply with PCI DSS may be subject to penalties and fines, which are built into the contract between merchants, payment processors, and card brands.

What happens if a merchant is not PCI compliant?

When you work with a tool that’s not PCI compliant, you are putting your sensitive information at risk and you are exposed to sanctions by the major payment brands.

How can I tell if a company is PCI-compliant?

Certified companies who handle card data will have a security section on their website, detailing the types of security standards and level of PCI compliance. An attestation of compliance (AOC) must also be presented by the merchant or service provider. 

You’ll typically see PCI’s message and logo at the bottom of the webpage when prompted to enter any sensitive information.

Melio’s security information can easily be found on our website and help center.  

Next, let’s take a look at how Melio protects your data.

Is Melio PCI compliant?

Melio’s top priority is to be the safest and most secure platform at hand. 

Melio is fully compliant with the PCI-DSS. We use a third-party card processor which is a certified Level 1 PCI Compliant Service Provider (the highest level),  and don’t store any sensitive credit card information on our servers. 

To ensure top-level security, Melio and its third-party card processor test the system daily (manually and automatically).

Next, we’ll cover the different levels of compliance so you can get a better understanding of Melio’s security level.

The 4 levels of compliance

PCI compliance is split into four different levels depending on the number of transactions businesses handle annually.

To comply with PCI-DSS, level 1 merchants must have a qualified security assessor (QSA) or internal security assessor perform an onsite audit every year. The assessor will review the PCI requirements and compare them with the findings from the onsite audit to complete an annual report on compliance.

Levels 2, 3, and 4 can achieve PCI compliance simply by completing the SAQ and meeting the corresponding requirements.

Many companies such as Melio utilize merchant banks and third-party services that handle much of their PCI compliance requirements. It is still the business’s responsibility to ensure any third parties they work with on credit card transactions are PCI compliant.

What are the PCI requirements?

The PCI-DSS requirements are broken down into six distinct goals, each of which can be further expanded to cover the 12 requirements of the PCI-DSS.

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

12 major requirements define PCI compliance: