Every Merchant Needs to be PCI Compliant – Even You
Seventy percent of Americans have a credit card and MasterCard’s 2013 “Cashless Journey” (PDF) report illustrates that approximately 80% of all consumer payments in the United States are conducted with credit cards. Being able to accept credit card payments is very enticing to merchants, whether it’s a local corner store business or a nationwide big-box retailer. By accepting electronic payments, however, a retailer is also taking responsibility for the protection of sensitive cardholder information. While protecting credit card information may sound intimidating, there is a systematic approach in place for merchants to increase their security: the Payment Card Industry Data Security Standard, or PCI DSS for short.
What is PCI and does it apply to me?
The PCI DSS is a set of guidelines designed to increase the security of your business and reduce the likelihood of a data breach. If an organization is involved with the transmission, storage, or use of payment card processing information in any regard, then the PCI DSS applies. This includes storefront retailers in addition to e-commerce merchants.
Most merchants’ familiarity with PCI comes in the form of an annual Self-Assessment Questionnaire (SAQ) or a scan of their computer network, but the PCI DSS was designed to be a continuous, ongoing process. Some banks, merchant services companies, and IT firms will enable merchants to off-load the majority of their PCI compliance responsibility onto them, but ultimately the merchant is the one responsible for remaining in compliance. Keep in mind, being PCI compliant does not completely eliminate all security risks, but rather serves as a strong foundation for security.
What are the penalties for not being PCI compliant?
The fines levied by credit card institutions and banks against non-compliant merchants can reach $500,000 depending on the severity of the non-compliance and any issues or security breaches that may have resulted. Should a breach have occurred, other fines could include a fee for each cardholder that was compromised, the loss of the business’ merchant account, and the suspension or termination of credit card acceptance. Consumer trust is also affected and potential legal issues could arise for failing to protect sensitive information as well.
How do I become PCI compliant?
The first key to becoming PCI compliant is to understand what is outlined in the PCI DSS. The PCI DSS Quick Reference Guide (PDF) is a good place to start, as it outlines six goals and twelve steps of compliance. Once you are familiar with the general idea of what PCI compliance requires, contact your merchant services provider. Because not every business has the same security needs, they will be able to inform you exactly what is needed to become compliant.