If you’re opening a new business, or taking ownership of an existing one, you likely have a to-do list a mile long. Choosing a location, signing a lease, hiring staff, ordering inventory, setting up displays—the tasks can seem endless. One commonly overlooked, but supremely important aspect of operating a business that accepts credit card payments is compliance with the Payment Card Industry Data Security Standards (PCI-DSS).
You may have heard something about some kind of PCI security regulations, and still be unsure what that means, and how it will affect your business. This article covers the basics of PCI and secure payments and helps get you going in the right direction.
1. PCI compliance is mandatory
Every business that accepts credit cards agrees to keep data secure to protect cardholders from the damaging and very real threat of credit card data compromise. When hackers are able to obtain the card number and sensitive authentication data, they can either use that information to create duplicate cards, impersonate the cardholder for purchases, or sell the information to other thieves. Being PCI compliant requires following the 12 standards for protecting data. The list includes things like setting up a firewall for your payment processing network, and using a compliant POS system or terminal that won’t store sensitive data locally.
The PCI council isn’t equipped to go around checking into every business to make sure the PCI regulations are being met. It’s assumed that you are compliant, in accordance with your merchant agreement. However, if cards are compromised, and the common point of purchase leads back to your business, the first thing an investigation will uncover is whether or not your business was PCI compliant at the time of the breach.
2. Bad things can happen if you aren’t compliant
If it’s determined that you were breached and were not compliant at that moment, you will very likely face hefty fines and fees. You could be held responsible for the cost of reissuing every card that was compromised, in addition to paying for a forensic audit, additional penalties, payment security upgrades, and even legal fees—not to mention the possibility of bad press and a loss of consumer trust and loyalty. Verizon Enterprise Solutions reports that 69 percent of consumers are hesitant to do business with a breached organization. Which contributes to another unpleasant statistic from StaySafeOnline.com stating that 60 percent of small businesses close within six months following a breach.
3. Small businesses are a favorite target for thieves
After reading about the scary statistics on the cost of data breaches, many merchants think they’re too small to bother with, and that breaches are something that happen to big businesses like Target. Which is only partly true as breaches do happen to big businesses. But the PCI Council reports that over 71 percent of data breaches target small businesses and merchants. The reason is simple. Small businesses are less likely to allocate resources toward data security, which makes them an easy target. And whereas a breach didn’t keep Target from opening their doors, smaller businesses don’t have the same advantage. Breaches usually hurt small businesses more than larger businesses.
4. You don’t have to do it alone
So, the nitty gritty on PCI is that it’s required, it’s important, and it can feel overwhelming to small business owners. But, the good news is that with a little help, it’s not as scary as it may seem. There are many PCI compliance assistance programs in the marketplace to help you achieve and maintain compliance. Many payment processors provide this service, so be sure to ask for details on PCI assistance when you’re shopping for a processor. A good program should include a self-assessment questionnaire, a to-do list, quarterly scans, and breach protection for financial support in case a breach does occur.
Contact Vantiv for more information about our PCI compliance assistance and breach protection solutions.