What Exactly Is PCI Compliance?
PCI Compliance refers to the Payment Card Industry (PCI) Security Standards Council Data Security Standard (PCI DSS). Yes, it’s a mouth full of letters referring to a set of rules, not a law, that provide a universal set of security standards for payment account security. The council was created by the payment card industry’s founding members – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
Small Merchants Are Easy Targets
Surprisingly, many small merchants believe they are safe and can relax on the security front because hackers only target big businesses with high sales. NOT TRUE!
Hackers have become more focused on small businesses that process or store payment card data. Larger merchants tend to have expensive and robust security mechanisms in place to protect against attacks. This level of security is typically cost prohibitive for small merchants. When searching for vulnerable targets, attackers are discovering that many small merchants don’t implement even basic security measures required by the PCI DSS.
Hackers are targeting and compromising small merchant environments. Breaches often go undetected for extended periods of time due to lack of proactive security monitoring.
The Consequences of Non-PCI Compliance
Complying with PCI standards is NOT optional and being non-compliant can lead to serious security breaches. Today’s attacks have become extremely sophisticated. Even if you don’t store credit card data, hackers are targeting points where that data passes through your systems. They can subsequently steal customer credit card information.
Non-Compliance Fines and Fees
If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to fines. These fines are not assessed by the PCI DSS. The payment card brands penalize the merchant’s bank. The bank then passes that cost along by assessing a fine on the non-compliant merchant.
These fines can range anywhere from $5,000 ‑ $500,000 by banks and credit card institutions. Depending on the size and overall health of a business, being assessed one of these fines could be a mild annoyance. Or, it could be a major headache or even result in bankruptcy.
In addition to fines, credit card processors may also charge a monthly fee when a merchant is not compliant. It’s the responsibility of individual processors to validate compliance. Each processor chooses whether or not to charge a PCI non-compliance fee and how much. These fees can typically range from $10 to $30. Some processors charge as much as $100 per month.
To understand the financial liability of an organizations non-compliance, businesses should consult their merchant account agreement and contact their payment card brands directly.
Non-Monetary Damages Related To PCI Compliance
The financial burden that comes along with a data breach is just the tip of the iceberg. The cost is much higher when you consider how else a business will be affected.
- Damage to Your Brand and Business Reputation. Consumers who use their credit cards to patronize a business place a high level of trust in an organization. That trust can be broken with a security incident. Regardless of the cause, a merchant should not claim to be the “victim” in a breach. Consumers aren’t likely to see a company as the victim if their personal data has been put at risk. According to Visa, “from a consumer’s perspective, the issue is relatively simple: ‘I gave my information to you, you exposed/lost it, and it’s your fault. Period.’”
- Bad Press. With the obsessive nature of 24-hour news and the abundance of social media outlets, the likelihood that a merchant will receive “bad press” is high. People will hear about a data breach no matter how small it may be. Unfortunately, once this information is posted online, it remains there and search engines WILL find it repeatedly.
- Loss of Payment Card Privileges. Once a company suffers a data breach, credit and debit card companies such as Visa, MasterCard, American Express can refuse to do business with them. Most businesses are not prepared to operate on a cash-only basis and it simply doesn’t work for online commerce.
- Your Time. A data breach distracts people from the daily activities of running a business. It forces an attention shift to the painful process of recovering from the event. Those individuals normally devoted to serving customers and overseeing business operations will be delegating that work to others while they respond to the breach.
How Do I Know if I am PCI Compliant?
Many retailers believe an SSL certificate ensures their site is secure. Having an SSL certificate simply does not cut the mustard. Regardless of size and number of transactions processed, if you are a merchant that accepts, stores or transmits cardholder data and you want to process payments from any of the major credit card brands, you must comply with the PCI DSS.
Each of the credit card brand members has their own compliance programs to protect their affiliated payment card account data. Merchants should contact their payment card brands directly for specific information about individual compliance validation levels. Also ask about assessment and reporting requirements.
Additional information and resources can be found at the links below.
- How to Secure with the PCI Data Security Standard
- Assessing the Security of Your Cardholder Data
- Approved Scanning Vendors
The same technologies that make everyday business efficient create a field day for hackers to access sensitive information. Securing cardholder data is a challenge facing any business processing credit cards. A merchant taking “just a handful” of credit cards is no less obligated to protect consumer card data than the major retailers processing thousands of transactions a day. Do not wait until you are hacked to pay attention.