It’s a common question among business owners and employees. Maybe you’re just starting out and wondering how to accept credit cards, or maybe you’ve done a little research but are confused by all the information out there.
Here’s the short answer: yes, PCI compliance is mandatory.
Let’s get into why.
The PCI Security Standards Council
In 2006, the five major card brands (American Express, Discover, MasterCard, Visa, and JCB) formed the PCI Security Standards Council, an organization dedicated to promoting awareness of and adherence to payment security standards.
In pursuit of that goal, the PCI Security Standards Council formed the PCI Data Security Standard (PCI DSS), a set of rules and standards for businesses to follow to make sure they’re safely storing customer credit card information. Any business that transmits, stores, handles, or accepts credit card data—regardless of size or processing volume—must comply with the PCI DSS.
If you only process three credit card transactions a month, you must comply with PCI standards. If you use a third-party payment processor, you must comply with PCI standards. If you don’t store credit card data but it passes through your server, you must comply with PCI standards.
All that to say, if your business accepts credit cards as a form of payment, then you must be PCI compliant.
What if I’m not PCI compliant?
PCI compliance is mandatory, but some business owners wonder if they can get around the requirements. But this is an irresponsible and potentially devastating idea.
If you’re not PCI compliant, then you’re putting your customers and your business at risk. Without the protection that PCI compliance brings, your business could be vulnerable to costly attacks and data breaches.
If a data breach occurs and you’re not PCI compliant, your business will have to pay penalties and fines ranging between $5,000 and $500,000.
But fines are just the beginning of the overall damage caused by noncompliance. If you’re not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. Your business could also be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years.
On top of that, a data breach could cost you thousands of dollars in damages, lose the respect and trust of your customers, and decimate your reputation.
The penalties of not being PCI compliant are many and varied. It’s always best to be as fully compliant as possible to avoid expensive fines and other losses.
How can I be PCI compliant?
PCI compliance is an ongoing process that requires regular check-ins and assessments of current systems and practices. It’s not a “set it and forget it” project—it’s a continual effort to keep cardholder data safe.
That being said, PCI compliance can be completely overwhelming. There are many requirements that can be confusing and difficult to implement. Fortunately, you don’t have to do it on your own. You can use third-party products and services as part of your larger PCI compliance strategy.
Many third-party payment gateways adhere to the PCI DSS so you don’t have to worry about it on your end. These payment gateways use data security methods like tokenization that allow you to store “tokens,” or representations of credit card data, on your local servers instead of the actual information. That way, you still have quick and easy access to data (for repeat customers, for example), without actually storing any information. Using these payment gateways can remove some of the burden from your business for figuring out PCI compliance, but remember that third-party solutions are not a silver bullet. You will still be responsible for your security and must commit to testing, strengthening, and updating it over time.
The bottom line
If your business accepts credit cards, then you must be PCI compliant. It’s as simple as that.
So don’t let fear or confusion keep you from tackling PCI compliance. In the long run, PCI compliance will protect you and your customers from data breaches and the costs and damages involved.
The next time you’re wondering about PCI compliance, you’ll know the answer: PCI compliance is mandatory and necessary for the benefit of both businesses and customers.