PCI Compliant, What Does It Mean?

Forty years before credit cards were invented, science fiction novelist Edward Bellamy predicted the economy of the future. In his 1888 novel Looking Backward, he imagined simplifying finances by replacing bulky cash with individualized cards that store credit. More than a century later, we’re living the dream.

Credit cards do make life simpler, and digital payments make it easier still.

For the most part.

While I can pay a bill or make a purchase online without ever pulling my card out of my wallet today, there are risks involved. My credit card contains personal information that I’d rather not fall into the wrong hands, and I’m definitely not interested in paying for a cyber criminal’s holiday vacay to St. Kitt.

That’s where PCI DSS compliance comes in.

What is Payment Card Industry Data Security Standard (PCI DSS)?

Payment Card Industry Data Security Standard (PCI DSS) is the minimum security standards developed to make sure that all companies that accept, process, store, or transmit credit card data maintain a secure environment.

If your company accepts credit card payments in any way, shape, form, or fashion, it must be in compliance with PCI DSS. Even if you’re using a third-party payment processor to store data, you’re ultimately liable for your company’s compliance.

What’s required to be PCI DSS compliant?

Before we find a processor for our clients, we conduct thorough interviews to figure out their PCI security standards and where they are at in their compliance. It is of the utmost importance to offer our merchants only hardware and software that has been verified PCI-DSS compliant.

You can find a much more detailed list of requirements here, but our short list of requirements includes:

  • -Maintaining a secure network
  • -Protecting cardholder data
  • -Maintaining a vulnerability management program
  • -Implementing strong access control measures
  • -Maintaining an Information Security Policy

What happens if my small business isn’t PCI compliant?

The cost of non-compliance is high. A data breach triggers a series of events that can prove to be catastrophic for small to mid-size businesses. The initial forensic exam to uncover the cause of the breach can run upwards of $20,000. If the exam reveals that your business was not in compliance, the costs go up from there.

According to the PCI Compliance Guide, businesses found non-compliant may be required to cover the costs of:

  • Notifying all impacted customers,
  • Replacing the cards of impacted customers,
  • Monitoring the credit of impacted customers for up to a year,
  • Paying non-compliance fines,
  • Upgrading POS systems, and
  • Undertaking a reassessment of PCI compliance

These steps can cost small to mid-size businesses in excess of $50,000, but that doesn’t take into consideration the damage that a data breach can do to your business’ reputation among customers and credit card companies.

A breach can lead to the loss of customers, and it can also lead to the loss of bank relationships. If your processor does decide to keep you on after a data breach, you can expect your transaction fees to increase significantly.

Oh, c’mon. No data thief would bother with my little business.

This is no time to be modest. According to a Trustwave study, 90% of data breaches affect small to mid-size businesses. To data thieves, small businesses are big whales precisely because small business owners believe that they’re too tiny to target. That leads to laxity in security measures and cracks to slip through unnoticed.

Do third-party payment processors make small businesses more or less compliant?

That depends on the payment processor. Allowing a reputable third-party company to manage your payments and customer data can make it much easier to stay in compliance. However, even if customer data never resides on your network, there are still opportunities for cyber criminals to harvest data through compromised POS systems.

In other words, the right third-party processor can be a big part of your PCI vulnerability management program, but you’re still responsible for following through on security measures.

What’s the state of your business’ PCI compliance?

Contact us to schedule a Free Fact-Finding Appointment