If your business accepts credit card payments, then you’ve probably heard the term PCI compliance before, usually accompanied by an undertone of fear or stress. It’s a thorny topic at best, and without a solid starting point from which to tackle it, it can be hard to understand why PCI compliance matters.
But every business that takes credit card payments must deal with PCI compliance, and it’s an essential topic to understand if you want to ensure that you’re safely storing your customers’ credit card data.
So what exactly is PCI compliance, and why does it matter?
What is PCI?
Let’s start off with PCI, which stands for Payment Card Industry.
The PCI DSS, or Data Security Standard, is a set of rules and standards for businesses to follow to make sure they’re safely storing customer credit card information. The PCI DSS applies to any business that accepts or stores cardholder data, regardless of size or industry.
The PCI DSS was developed by the PCI Security Standards Council, a group formed by the five major payment card brands (American Express, Discover, MasterCard, Visa, and JCB). The council was created to improve data security standards for credit card payments, educate businesses, and hold companies accountable to the DSS to help keep customer credit card data safe.
Now that we know what the PCI DSS is, let’s get into some of its implications. What happens if you don’t follow the PCI DSS?
The PCI DSS is not a law, but there are penalties for not becoming compliant with the standard. If your business doesn’t follow the PCI DSS, you may have to pay a fine, and your bank may end your relationship or raise the cost of transaction fees. The penalties incurred may vary, and can be devastating for small businesses. It’s always best to be as fully compliant as possible to avoid expensive fines.
Of course, a business that’s not PCI compliant is also vulnerable to attacks and data breaches. Such a breach could cost you thousands of dollars in damages, lose the respect and trust of your customers, and decimate your reputation.
A study on PCI Compliance
According to a new study conducted last month by Lightspeed Research, PCI compliance is far from ubiquitous among small businesses. The study found that 22 percent of small business retailers were not PCI-DSS compliant, and 14 percent were not sure whether or not they were compliant.
It is alarming that so many respondents were unaware of their network security posture and PCI-DSS compliance status, because customers’ sensitive information and business integrity is at stake.
False Sense of Security
The study also found that 55 percent of the respondents were not aware of the security breach disclosure requirements in their state. And when it comes to having a policy to meet those requirements, 40 percent said they had no such policies in place.
As to why PCI-DSS compliance among small businesses is not higher, the size of the organization could be a factor, because a lot of small business owners believe they are too small to be hacked. They believe hackers are only attacking high-profile businesses like Target, which provides a false sense of security for business owners, because everyone is at risk for an attack on security. In fact, hackers find small businesses worthwhile, because they offer the best ROI for a hacker.
First, you must complete an SAQ, or self-assessment questionnaire, which guides you through a series of questions concerning your business, existing practices for accepting and storing credit card data, and your current network security. This questionnaire serves as a quick audit of your business and helps you to report on whether or not your business complies with the PCI DSS.
Second, depending on the size of your business, you may need to pass a vulnerability scan. This scan is performed by an approved vendor who will remotely review your local network to look for any weaknesses that could be exploited.
Finally, you must submit an Attestation of compliance.
Once these pieces are successfully submitted, you’re on your way to achieving PCI compliance.
Sometimes, trying to become PCI compliant is too difficult, time-consuming, or confusing for businesses. Fortunately, there are third-party companies that specialize in data security and can partner with you to develop secure, PCI compliant systems.
For example, you may choose a credit card processor that utilizes encryption, tokenization, or cloud technology to safeguard data and achieve PCI compliance.
If you go with a third-party option, your business is usually not liable for any data breaches, and you don’t have to worry about enhancing your existing system to stay PCI compliant.
Why PCI compliance matters
Ultimately, PCI compliance matters a great deal for both you and your customers.
Adhering to the PCI DSS means that you’re vigorously protecting your customers’ data and defending against data breaches. You’ll earn the respect and trust of your customers when they learn that you go to great lengths to ensure their sensitive information is safe.
And, of course, becoming PCI compliant means you won’t have to pay any expensive penalties or fees. You’re investing in the long-term health of your business and stepping up to a higher standard of security.
Although PCI compliance is a complicated topic, it’s imperative that your business does the work to reach compliance and understand why PCI compliance matters. Whether you choose to upgrade your own system or use a third-party company, PCI compliance is a crucial requirement for ensuring the safety of sensitive customer information.