The goal of PCI compliance is to protect yourself, your business, and your customers from identity theft and other forms of credit card fraud. At a more basic level, compliance secures your revenue streams, because Visa refuses to transact with any processor that isn’t compliant.
Things become even more complicated, because there’s no actual documentation of compliance. The PCI Council doesn’t issue certificates. They don’t even assess or enforce compliance – they use third party Qualified Security Assessors (QSAs). In the past, both PCI and credit card networks posted lists of compliant partners on their websites. But with thousands of payment processors in the US alone, it’s no longer practical for any of these organizations to post a verified list.
Validating PCI Compliance
So how do you know the company you’re working with follows the rules? You could ask. You can also review your payment processor’s website to see if there’s any mention of PCI. A more protracted option is to study the 12 recommendations of PCI for yourself then ask questions based on that.
You could – for instance – ask about the last time they updated their firewall. Or ask for a copy of their cyber-security policy documents – PCI requires they have it down in writing. If you have the tech savvy to understand it, you could ask them the type of encryption they use, and dig into the details.
For ordinary non-programmers, you could come at it from another angle. You could look at your payment processor’s customer list. If they have lawyers, media outlets, or tech companies listed, they’re probably compliant, because these companies wouldn’t risk it.
While you’re at it, you could consider assessing your own business for compliance. It’s not legally required, but it’s good practice, and payment processors typically require it. You could review your in-house security protocol based on the 12 recommendations, or you could download an assessment form off the PCI website and use it to audit your data security practices. Every little bit helps.