PCI Compliance refers to the Payment Card Industry (PCI) Security Standards Council Data Security Standard (PCI DSS). Yes, it’s a mouth full of letters referring to a set of rules, not a law, that provides a universal set of security standards for payment account security. The council was created by the payment card industry’s founding members – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
Use of the PCI DSS is mandated by credit card brands. If you have an eCommerce website, the following information is critical.
Surprisingly, many small merchants believe they are safe and can relax on the security front because hackers only target big businesses with high sales. NOT TRUE!
Hackers have become more focused on small businesses that process or store payment card data. Larger merchants tend to have expensive and robust security mechanisms in place to protect against attacks. This level of security is typically cost-prohibitive for small merchants. When searching for vulnerable targets, attackers are discovering that many small merchants don’t implement even basic security measures required by the PCI DSS.
Hackers are targeting and compromising small merchant environments. Breaches often go undetected for extended periods of time due to a lack of proactive security monitoring.
Complying with PCI standards is NOT optional and being non-compliant can lead to serious security breaches. Today’s attacks have become extremely sophisticated. Even if you don’t store credit card data, hackers are targeting points where that data passes through your systems. They can subsequently steal customer credit card information.
If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to fines. These fines are not assessed by the PCI DSS. The payment card brands penalize the merchant’s bank. The bank then passes that cost along by assessing a fine on the non-compliant merchant.
These fines can range anywhere from $5,000 - $500,000 by banks and credit card institutions. Depending on the size and overall health of a business, being assessed one of these fines could be a mild annoyance. Or, it could be a major headache or even result in bankruptcy.
In addition to fines, credit card processors may also charge a monthly fee when a merchant is not compliant. It’s the responsibility of individual processors to validate compliance. Each processor chooses whether or not to charge a PCI non-compliance fee and how much. These fees can typically range from $10 to $30. Some processors charge as much as $100 per month.
The financial burden that comes along with a data breach is just the tip of the iceberg. The cost is much higher when you consider how else a business will be affected.
To understand the financial liability of an organization's non-compliance, businesses should consult their merchant account agreement and contact their payment card brands directly.
Many retailers believe an SSL certificate ensures their site is secure. Having an SSL certificate simply does not cut the mustard. Regardless of the size and number of transactions processed, if you are a merchant that accepts, stores, or transmits cardholder data and you want to process payments from any of the major credit card brands, you must comply with the PCI DSS.
Each of the credit card brand members has its own compliance programs to protect its affiliated payment card account data. Merchants should contact their payment card brands directly for specific information about individual compliance validation levels. Also, ask about assessment and reporting requirements.
Additional information and resources can be found at the links below.
The same technologies that make everyday business efficient create a field day for hackers to access sensitive information. Securing cardholder data is a challenge facing any business processing credit cards. A merchant taking “just a handful” of credit cards is no less obligated to protect consumer card data than the major retailers processing thousands of transactions a day. Do not wait until you are hacked to pay attention.