What your business needs to know about PCI requirements
All businesses need to understand how the Payment Card Industry Data Security Standards apply to them, but these regulations can be confusing, especially for small merchants. The following is a breakdown of their key elements:
What is PCI DSS?
The Payment Card Industry Data Security Standards are a set of requirements that are meant to ensure all businesses conducting credit card-based transactions do so in a secure environment. Version 1 of the PCI DSS was released in 2004, but the PCI Security Standards Council was launched in 2006 to serve as the guiding agency behind the standards and improve them over time. While the council sets the standards, payment card companies and acquirers are responsible for enforcing compliance.
Any merchant that accepts credit cards is required to comply with the standards, whether they accept payments online, in person or over the phone.
What does PCI DSS cover?
PCI standards includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In its most simplistic form, the PCI DSS is a list of best practices for maintaining payment security for your business and its customers. Some of the guidelines include:
- Secure network: Use a firewall to protect networks containing sensitive data.
- Protecting cardholder data: Encrypt cardholder data to prevent theft. Cardholder data includes the account number, cardholder name, card expiration date and security code.
- Maintain hardware: Keep all security software up to date and download security patches whenever they become available.
- Monitor access: Limit the people who can access secure systems and require strong passwords.
- Test networks: Test networks regularly to make sure there are no weaknesses.
- Maintain security policy: Create a store policy and educate staff members about security standards.
Standards vary by card brand
Visa, MasterCard, Discover and American Express all have different compliance requirements. Each company's set of standards contains several different levels that determine what merchants must do to become PCI compliant.
Companies outline different levels based on their payment volume. Level 1 merchants generally process more than 6 million transactions each year, while Level 2 merchants process between 1 million and 6 million transactions each year. Most small businesses fall in the Level 4 category.
The first step in meeting compliance is to determine your credit card brand, what level you qualify under, and learn the steps necessary to gain compliance.
There are penalties for noncompliance
Merchants that don't maintain compliance with PCI standards face harsh penalties. Each payment brand may have different penalties for noncompliance. Acquiring banks may be fined anywhere between $5,000 to $100,000 per month for PCI compliance violations and these costs will be passed down to the merchant. The acquirer may terminate the merchant's account, leaving the business with no way to process credit cards. The bank may also increase transaction fees, reducing the business' profits. In addition, by failing to keep up with the standards outlined by the PCI council, business owners compromise cardholder data security, which could lead to costly data breaches.
Compliance is an ongoing process
The PCI Council consistently updates the Data Security Standards, so a merchant's work will never truly be finished. It's important for merchants to keep an eye on changing requirements to keep up. While staying up to date with these ongoing changes may seem burdensome, each iteration of the standards makes merchants and customer data more safe. As payment technology evolves, hackers also update their techniques and merchants need to stay abreast of these changes.