What is PCI Compliance?
You are running a profitable business, and your decision to accept credit card payments has been a big reason for your success. Your customers like the convenience of paying with plastic, and you appreciate the organization that those transactions provide when you do your accounting.
In the past, a key differentiator between companies used to be whether a business accepted credit cards. But with the vast majority of commercial entities opting to obtain merchant services accounts today, a new standard has arisen: whether or not a given business’s credit card processing system is safe. If your customers are not comfortable with your business’s ability to keep their credit card data secure and out of the hands of criminals, they may turn to a competitor.
So how do you know that you are maintaining the integrity of your credit card processing network? The answer can be found in a new worldwide designation known as PCI compliance.
PCI stands for Payment Card Industry, and being PCI compliant means following the guidelines known as the Payment Card Industry Data Security Standards. These standards encompass all of the players involved in the process of authenticating credit card transactions, including cardholders, merchants, acquirers, processors and card associations. Because this network has so many moving parts, there are numerous places where valuable credit card data can be stolen or used in a fraudulent manner. That is why PCI compiled these standards: to help prevent such breaches of security and the fallout that can result.
Here are the key points of the PCI Compliance Security Program:
- Securing the collection and corruption-proof storage of cardholder data
- Organizing cardholder data so it can be easily analyzed
- Proving compliance by providing evidence on demand that the necessary controls are in place for data protection
- Maintaining auto-alert systems, which constantly monitor the usage of and access to the protected data
- Logging data and providing proof that it has been properly collected and stored
Today, regulatory standards in the U.S. require merchants to maintain PCI compliance. Because of the evolving technology that constantly reshapes the credit card industry, as well as the fact that data can be compromised years after a transaction has been completed, PCI compliance should not be viewed as a one-time attainable goal, but rather as an ongoing battle to preserve the compliant status of a business. This means implementing and repeating procedures like removing complete credit card numbers and expiration dates from printed receipts, accurately completing self-assessment questionnaires, and conducting regular (preferably quarterly) system vulnerability scans in an effort to identify potential weaknesses.
Since most small businesses are extremely cost conscious, the temptation to ignore PCI compliance and the expenses associated with it may be substantial. A business owner may fail to appreciate the importance of following formal guidelines to maintain credit card data security, and rationalize this viewpoint with the belief that a security breach won’t happen because his or her business is just a “small fish” in the American marketplace.
But here is the cold, hard truth: every business, no matter how large or small, is a potential target for criminals and fraudsters. In fact, many unsophisticated data thieves will shy away from large conglomerates in favor of what they perceive as the “low-hanging fruit” of the small or medium-sized business.
And for the thrifty business owner, here is more sobering news: the minimal expenses of maintaining PCI compliance pales in comparison to the costs that are associated with a single security breach. Here is a possible list of consequences that may accompany a breach:
- Compensation paid out for fraudulent purchases made with stolen information
- Chargebacks associated with illegal transactions
- Replacement of company cards that have been compromised
- Forensic investigation of compromised processing systems (which can cost between $10,000 and $20,000)
- Fines levied by card associations for not being PCI compliant (which can be as high as $500,000)
- Potential listing on the Terminated Merchant File MATCH list, which can hinder your ability to obtain merchant services accounts in the future
- Loss of trust, customer loyalty, and reputation among those in your target market
Setting up your company so that it is PCI compliant is not as difficult as it may sound. The Payment Card Industry offers suggestions on what steps to take and which processes to implement. Many third-party companies are happy to provide a turnkey solution for your PCI compliance needs. Such firms will handle all of your business’s security and guarantee a safe data environment in exchange for a flat fee. For those business owners who don’t prefer either extreme, a middle ground exists as well. Certain companies package web-based compliance tools and software, which make it easy for a business owner to analyze data, fix potential problems, and validate PCI compliance. These services can be purchased for a small annual fee.
In the 21st century, PCI compliance is becoming one of the hallmarks of commerce safety and trust in the marketplace. So make sure that your business is PCI compliant – or your customers will find someone else who is.