PCI compliance is the process of assessing your business practices against standards set by the Payment Card Industry Security Standards Council, an organization formed to increase payment security and reduce fraud globally. The goal of PCI compliance is to ensure that the storage of cardholder data meets certain best practices within industry standards. Failure to meet these standards can result in fines levied by the card brands and/or criminal prosecution by law enforcement.
Why is PCI compliance Important?For businesses that store, process or transmit credit card data, it's critical to maintain PCI compliance and secure payment data to prevent theft and minimize risk of fines and legal action. There are several payment security standards, created by the Payment Card Industry Security Standards Council, that organizations must abide by to become compliant with PCI standards. The most important of these include:
A small merchant will be able to meet these standards by purchasing a Secure Sockets Layer (SSL) Certificate; larger merchants often choose to work with third-party organizations that specialize in PCI compliance. These companies conduct on-site audits, provide 24/7 security operations center monitoring, and provide equipment, tools and support for merchants that fall under the scope of PCI compliance.
How much does it cost?The cost of maintaining PCI compliance can vary widely depending upon the sensitivity of cardholder data your business processes (credit card numbers versus billing information) and the scale at which you conduct transactions. For example, larger merchants that handle high volumes of card transactions or accept credit cards online will often pay thousands of dollars per year to maintain compliance with industry standards.
What are the penalties for non-compliance?Penalties for non-compliance can be severe. The payment brands have established stiff fines for companies found liable for data breaches, fines that can reach into the millions of dollars. They also have the right to revoke a merchant account, which will shut down all processing immediately. The cost of maintaining PCI compliance is much cheaper than the potential costs incurred by non-compliance.
What if I use paid card processors?Even if you outsource payment processing, you are still responsible for securing sensitive cardholder data. Outsourcing simply shifts the PCI compliance burden from you, the business owner, to your payment processor. It is possible for small businesses using outsourced processors to maintain compliance without incurring additional costs by finding a compliant reseller that also offers credit card processing services.
What if I have a brick and mortar store?Even businesses that do not handle credit card numbers online must maintain PCI compliance if they have a physical location where anyone can enter to purchase products. If you conduct cash transactions, such as selling items at an auction or garage sale, you will need to assess the risk and implement controls accordingly. Trace International offers education and other resources to help small brick and mortar stores conduct business safely.
Is PCI compliance secure?Yes. PCI DSS is a set of security standards established by the Payment Card Industry Security Standards Council to ensure that all companies that store, process or transmit credit card information maintain a secure environment to reduce fraud and avoid penalties for non-compliance. All merchants that process, store or transmit cardholder data are required to be compliant with PCI standards. You can read more about the PCI Council on their website.
PCI compliance is mandatory for all organizations that handle credit card transactions - so it's important to know how to become and remain compliant in order to protect sensitive information and avoid hefty fines for non-compliance. This guide will walk you through the two main components of PCI DSS: Section 1, which defines 12 requirements for merchants, and Section 2, which outlines four additional requirements for service providers or those organizations that process credit card transactions on behalf of other companies.
