If you, as a merchant that offers credit card payments, do not know about PCI compliance, it can be vitally important that you rectify this as soon as possible. Any merchant that offers credit card payments needs to be PCI compliant. In order to be PCI compliant, it pays to know more about the regulations required in the PCI DSS. Here are some of the most important details about PCI compliance.
PCI compliance is the merchant’s responsibility
The PCI DSS rules apply to any organization that accepts, transmits or stores any cardholder data. Regardless of the size of your business or the frequency at which you accept payments, even if you accept one single payment, if you handle cardholder data at any point during the transaction you are expected to be PCI compliant.
Furthermore, you are expected to be responsible for the PCI compliance of any and every vendor that your business uses. This includes third-party credit card processors, service providers and software providers. You are also considered responsible for the compliance of any company or individual that you hire.
It is important to ensure that every aspect of your business, from your own IT department to your service providers, are all PCI complaint to avoid the blame falling on you should a security breach occur.
Repercussions of non-compliance
Merchants who fail to comply with PCI standards may be subject to fines. Merchants may also have to pay card replacement costs, forensic audits, brand damage fees, and other costs associated with the fallout of a data security breach. These fines and fees are issued at the payment brand’s discretion. Non-compliance could also result in the merchant’s acquiring bank or payment processor raising their fees (due to higher risk evaluations) or terminating the account completely.
Levels of PCI compliance
There are different levels of PCI compliance requirements for merchants depending on their transaction volumes. Level 1 merchants are businesses who process over 6 million transactions per year, while Level 2 merchants process between 1 million and 6 million transactions per year. Level 3 and Level 4 merchants have similar requirements, with Level 3 merchants being any business processing between 20 000 to 1 million eCommerce transactions per year, and Level 4 merchants being those who process less than 20 000 eCommerce transactions per year and all types of transactions up to 1 million per year. The more transactions per year for a merchant, the higher their security risk and thus their higher level of PCI compliance requirements.
PCI DSS 3.2 update
Since February 2018, merchants are required to use multi-factor authentication as part of remaining PCI compliant. Multi-factor authentication is required to system administration and all actions that involve access to a Cardholder Data Environment, especially with remote access systems.
For more information about PCI compliance or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.