Demystifying PCI: Myths and merchant responsibilities for secure credit card processing
As a merchant, making sure your payment systems are compliant with the Payment Card Industry Data Security Standard (PCI-DSS) can be a daunting task. It’s a big responsibility, but you don’t have to go it alone. There are three common myths that merchants mistakenly believe that leave their payment systems vulnerable.
Myth #1: A single product will ensure my systems are PCI compliant.
Contrary to what you may think, even the single most modern security solution will not cover your systems under PCI compliance on its own. Instead, you’ll need to employ a multifaceted approach to ensure that they fully address all 12 requirements of PCI-DSS. Even if you purchase a security solution that is touted as a “silver bullet” to PCI compliance, it’s important to do your due diligence to make sure you are truly covered.
Myth #2: We outsource our payments processing, so we must be PCI compliant.
While outsourcing your credit card payment processing can help simplify this process for you, doing so does not mean that your business is automatically PCI compliant. Even if you outsource your payment processing, you still receive and transmit sensitive cardholder data on your systems, and so must be prepared to protect this information. You’ll also be responsible for handling refunds and chargebacks—another intersection between your systems and sensitive data.
Myth #3: We don’t process many credit card transactions, so we don’t have to worry about PCI compliance.
Being PCI compliant is the responsibility of every person or business that receives, processes, transmits or otherwise handles sensitive cardholder financial data. Even if your company only processes one credit card transaction a month, you still must remain in compliance with PCI-DSS because your systems could still be targeted by fraudsters who want to intercept related data.
Merchant Responsibilities for PCI Compliance
If you’ve received notification from your acquirer bank that your business needs to submit PCI compliance validation, it’s important you understand your responsibilities. Here’s how we recommend getting started:
- Determine your level as defined by credit card network. The first step in making sure you’re PCI compliant is understanding how each of the major credit card networks classify your company—since that classification determines your PCI requirements. The classifications are determined by your transaction volume, which differs from network to network. You can read more about each of the networks on their respective websites:
If you are still unsure about your merchant level for PCI purposes, contact your acquirer bank (the bank that's usually connected to your processing) since they have the ultimate authority over your merchant levels.
- Gather the documentation you need to submit for validation. Once you’ve worked with the credit card networks and your acquirer bank to understand your merchant classifications, you can determine what documentation you’ll need to submit for PCI validation. Your acquirer bank can also help you understand what you need to submit. Furthermore, the following factors may affect your compliance validation process:
- Whether you use your own systems to process payments
- Whether you store cardholder data on your systems
- Whether you accept credit cards in-person or remotely
Work closely with your credit card processing provider throughout the PCI validation process, as they are experts in the payments industry and can save you time and headache in completing this important process.