Businesses that accept customer credit card payments are required to follow payment card industry (PCI) compliance standards. If you are uncertain about PCI compliance, meaning you are uncertain about how to keep cardholder data secure, here is some information you should know.
What Is PCI Compliance?
PCI compliance is a set of standards mandated by credit card companies to ensure all transactions are secure. These standards are covered under the Payment Card Industry Data Security Standard or PCI DSS. Launched on September 7, 2006, it requires companies to maintain security when they process, store, or transmit cardholder data. The PCI DSS was created by the PCI Security Standards Council, a collaboration between Visa, American Express, MasterCard, Discover, and JCB.
What Does It Cost to Be PC-Compliant?
PCI compliance generally costs small businesses just a few hundred dollars per year. It includes self-assessments, vulnerability scanning, policy development, training, and hardware/software updates. However, it can cost much more for large enterprises that require onsite audits, penetration testing, and wide-scale training and policy development.
Maintaining compliance is far less expensive than credit card fraud and data security breaches, which can cripple your business financially.
Why Is PCI Compliance Important?
Although courts have enforced it, PCI compliance is not required by law. Nonetheless, taking all the steps to ensure your business is compliant is important because doing so:
- Reduces the risk of consumer data breaches, theft, and fraud.
- Protects cardholder data, including account, driver’s license, and Social Security numbers.
- Helps improve the reputation of your brand and loyalty of your customers.
- Provides your security department with guidelines for monitoring, assessing, and auditing data security.
- Avoids lawsuits and fines for agreement violations and negligence.
- Enables your organization to improve IT efficiency.
- Helps comply with SOX, HIPAA, and other regulations.
PCI Compliance Levels and Requirements
There are four levels of PCI compliance. The level that applies to your organization depends on how many transactions per year it handles. These include:
- Level 1: Organizations that process more than six million credit card transactions annually.
- Level 2: For companies that process one to six million transactions per year.
- Level 3: Merchants that process fewer than one million and more than 20,000 transactions.
- Level 4: Businesses that process fewer than 20,000 transactions.
Your company’s PCI compliance level dictates the type of assessment that is needed. For example, Level 1 organizations generally require an on-site audit by a Qualified Security Assessor or Internal Security Assessor. A Report on Compliance (ROC) must then be submitted to the organization’s acquiring banks. If your organization is in PCI Levels 2-4, a self-assessment questionnaire is usually enough (Level 2 companies also need to submit an (RoC).
Assuring Your Business Is PCI-Compliant
There are 12 basic PCI DSS requirements, which include:
- Use of firewalls that prevent unauthorized access to data.
- Strong password protection for point of sale systems, modems, routers, and software.
- Protection of all credit card data.
- Encryption of cardholder data during transmission.
- Ensuring anti-virus software is regularly updated and patched.
- Ensuring all business software is up to date.
- Access to cardholder data only on a “need to know” basis.
- Unique credentials and IDs for those who have access to cardholder data.
- The physical security of data on hard drives or those written/typed.
- Maintenance of access logs with details on all activity involving access to sensitive data.
- Scanning and vulnerability testing to detect human error and malfunctions.
- Documentation of equipment, software, and employees approved for access, as well as flow, storage, and use of information.
What if I’m Not PCI-Compliant?
Failing to meet PCI compliance standards can have a devastating impact on your business, brand, and customers. Non-PCI-compliance can compromise data, which can have a negative impact on consumers’ finances, as well as merchants and financial institutions. It may also prevent you from conducting business effectively, well into the future. Account data breaches often drive customers away, cutting into sales and also damaging business and community relationships.
Then there are the costs of non-compliance. You could face not only canceled accounts and fines from payment card issuers; lawsuits and insurance claims are also possible, as are fines by government agencies.
Adept Payments Helps You Comply with PCI Standards
Our solutions are designed to ensure PCI compliance, meaning you’ll benefit from the partnerships with accredited providers that we have built. We offer knowledgeable support, reliable systems, and access to the most effective credit card fraud protection tools available. For more details, call 888-732-3838 or contact us online.