Small business owners and others who have recently begun accepting credit card payments may have heard the term PCI compliance. But, not all of us know exactly what it means or how it can impact our businesses. Non-compliance is risky, potentially leading to financial loss, reputational damage, and the loss of ability to accept card payments.
What Is PCI Compliance?
PCI (payment card industry) is a set of security standards known more formally as PCI DSS (data security standards). These regulations have been formulated to ensure that credit card transactions conducted by all organizations that accept, store, and process or transmit card information data do so in a secure manner and environment.
These standards are mandated by the leading card brands and monitored/regulated by the PCI security standards council. This council was formed in 2006 by the main card companies at the time: American Express, MasterCard, Visa, Discover and JCB. The council holds itself independent of these founding council members, however.
PCI compliance applies to all organizations that deal with, transmit, or process cardholder data regardless of the business’s size, nature the of the business, the volume of transactions, or any other factors. There are four levels of compliance based on the volume of transactions and the risk level of your business as assessed by the card brands.
There are 12 areas of requirement mandated by the PCI DSS:
- Protect card-holder data via firewall installation and maintenance
- Avoid vendor-supplied default passwords and security parameters
- Stored card-holder data protection
- Transmission of card-holder data across open/public networks must be encrypted
- Regular updating of anti-virus software
- Secure systems and apps
- Card-holder data access must be restricted to a need-to-know basis by assignment of unique ID
- Install tracking systems to monitor access to network resources/card-holder data
- Restriction of access to physical access to sensitive data
- Regular testing of all security systems/processes
- Development of a robust information security policy
- Maintaining a vulnerability management protocol
Risks of Non-Compliance
Studies show that while most companies are initially compliant, only 11% maintain inter-assessment compliance. Compliance requires regular evaluation and monitoring. Merchants have to ensure that the security aspects and procedures are in keeping with the PCI DSS regulations. These regulations are frequently updated in keeping with advances in technology and business realities. New versions, for instance, have unique identification for third parties and contractors and advanced penetration testing methodologies.
If your organization does not comply with PCI, the risks can be quite significant:
- Monthly penalties ranging between $500 – $100,000
- Negative impact on reputation
- Termination of relationship with bank/card-processing company
- Legal action by clients suffering data breach
- Revenue loss
- In the case of large companies with high transaction volumes, non-compliance can attract federal audits
Though formal validation is not required or legally mandated in several locations across the globe, failure to comply can still result in penalties in case of a breach. Compliant organizations are protected from liability in such cases.
For more information on PCI Compliance Explained or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.