If your business accepts credit card payments, you’ve probably heard the term “PCI compliant” before. But what do you need to do to be PCI compliant and how does it benefit you as a merchant?
PCI compliance is a lot like exercising regularly for your credit card processing. Although it takes effort to achieve and can be a bit annoying, the benefits are worthwhile. It also cannot be achieved in one sitting; PCI compliance is an ongoing effort to prevent fraud and data breaches.
A Brief Overview of PCI DSS
PCI Compliance, officially called the Payment Card Industry Data Security Standard (PCI DSS), is a standard set by major credit card brands in order to set a standard of data protection for businesses that take credit cards. It was merged from several different programs when in 2004 the first PCI DSS was released. PCI compliance is assessed annually by either a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ), depending on the volume of cards that are handled by the organization.
What is PCI Compliance Made Up Of?
PCI compliance is made up of a lot of steps and best practices to prevent fraud as much as possible, and should be treated as an ongoing commitment, not a one-time project. Here is a quick list of what is expected:
1. Secure your network.
This includes putting up a firewall for data protection and not using the default password and security settings that would be easy to crack.
2. Protect the data of your cardholders.
This includes the storage of the data being secure (or nonexistent) and encrypting the data when it is transmitted over networks and more likely to be vulnerable to attacks.
3. Keep systems safe and up-to-date.
This means cleaning your system from viruses, using anti-virus software, and maintaining secure systems (changing passwords regularly, etc.)
4. Restrict the access to data.
This means limiting the amount of people who come in contact with sensitive data, creating protected access points before data can be accessed, both electronically and physically.
5. Keep your network in good standing.
If you have an internet network, make sure you are monitoring the activity that occurs on the network. Running tests to ensure a secure connection on a regular basis is very important.
6. Make security a business-wide policy.
Ensuring that both you and your employees are aware of the best security practices is also vital. If you know how to keep things safe but your cashier doesn’t, then the efforts made could be in vain.
Why Become PCI Compliant?
As soon as you start accepting credit card payments, you are required to sign an agreement to follow the Payment Card Industry (PCI) Data Security Standards. This is basically an agreement to protect the cardholder data you collect from your customers by following some basic security measures.
Becoming PCI Compliant can have benefits beyond just saying “Whoopee. I’m compliant!” Besides having increased security for your business, your customers will appreciate your efforts in keeping their data safe. You will be better prepared to become compliant for other regulations such as HIPAA if that applies. Also, a lot of bad things can happen if you are not compliant. The mildest form of this is that your provider could charge you a non-compliance fee in order to encourage you to fill out the questionnaire. If you suffer a data breach, the credit card companies will distance themselves from you and blame your poor security measures. They can also fine you, possibly sue you, and your merchant account may be cancelled with your business blacklisted on the MATCH database, making it difficult to take credit cards in the future.
Let me say that once more: Any breach of the PCI security requirements may subject you to a hefty fine of between $5,000 and $100,000 per month and a loss of your ability to complete credit card transactions. It also violates the trust between you and your customers, meaning you could lose their business. According to Privacy Rights Clearing House, "80% of small businesses go bankrupt or experience severe financial difficulties within two years of a breach".
What PCI Compliance Means to Your Merchant Account
Your merchant account provider wants you to be PCI compliant. Not only does it help you out, but it keeps them safe too. Therefore, you can expect a lot of encouragement from your provider if you are not compliant, and possibly a fee associated with ignoring those requests. Therefore, it is in your best interest to follow up with them and get PCI compliant when they ask in order to avoid such fees.
When you do become PCI compliant, many providers will offer validation and breach assistance or insurance. For example, VMS offers coverage up to $50,000 for breaches when the business is correctly PCI compliant and registered.
One way to become PCI Compliant is to fill out an assessment of your business security procedures via an online questionnaire. Source: Trustwave (screenshot)
How Do I Become PCI Compliant?
The process of becoming PCI compliant can be complicated if you're not sure how to approach it. The instructions should come from your account provider. If you are a smaller business, you may be given a link to go online to a website like trustwave.com that will walk you through the questions in a more manageable way.
The act of preparing your business to qualify as PCI compliant is broken up into three phases: Assess, Remediate, and Report. The Assess stage involves taking stock of all of your technology that handles payment processing and checking them out to see where possible vulnerabilities exist. Remediate is when you fix the issues found in the Assess phase. Report is filling out the questionnaires (SAQ) to validate that you have taken the steps necessary to try to prevent data breaches. All three of these phases should be repeated, keeping a constant vigilance to keep your business and customer data secure.
PCI DSS, or PCI compliance, is something you should seriously consider doing if you accept credit cards at your business. If you are looking for more information about becoming PCI compliant, you can call us at (888) 902-6227 or email firstname.lastname@example.org. Here are some additional resources on the topic: