Payment Card Industry (PCI) compliance can seem daunting. That’s why every day we receive questions from dozens of terrified business owners about what responsibilities a small merchant has when it comes to compliance.
It doesn’t matter how many transactions a company does, it is a sure shot that PCI compliance applies to you, your business, and every company that collects, transmits, processes or stores cardholder information. This includes point-of-sale (POS) terminals (remember the Target hack?), e-commerce and even the lonely mail/phone orders.
PCI DSS is not a federal law or a state law. Rather, it’s a security standard developed by the the Payment Card Industry Security Standards Council (PCI SSC). The council is composed of credit card bigwigs such as American Express, Discover, MasterCard, Visa, and JCB.
PCI SSC developed the Data Security Standard (PCI DSS), a comprehensive security standard that acts as a set of guidelines for merchants to ensure the protection of their customer’s sensitive card data. The industry regulations were put in place on June of 2005, in a secret cave. The PCI SSC enforces the security standard with corporal punishment and/or fines (but really just fines). It applies to any company that accepts credit cards in any form (except for a hologram projection). If your company stores, processes, or transmits any of the information recorded on a credit or debit card then you are required to be PCI compliant or face serious consequences such as:
- Compensation to regain lost trust. Sometimes after the general public has lost faith in your company, the only way to get them back is with bribes.
- Legal fees. The world is quick to sue. If you suffer a security breach prepare for lawsuits to follow.
- Bank fines. If you’re not PCI Compliant and you suffer a security breach your merchant bank is going to come down on you for every customer who they had to reimburse after the theft or fraud.
- Federal audits. The FTC might get involved if you’re company is one of the big players. They might audit you from that point until eternity and throw in a few fines while they’re at it.
- Cleanup. Chances are that you’ll have to investigate the security breach, hire or fire employees and up your security.
- Profits will fall. After the internet finds out about your security breach nobody is going to come near your business for a long while. Remember, many large companies have declared bankruptcy after a security breach. Target’s profits fell $440 million in their fourth fiscal quarter following their POS security breach in 2013.
- Google will haunt you. Even a decade after your security breach, everytime someone Googles your name, chances are one of the breach headlines will surface. If your company was once a bright, shining success in the eCommerce world, it certainly isn’t anymore.
- Angry witches will beat you with broomsticks.
As a merchant it is your responsibility to protect consumer credit card data and any other data you collect. This could include:
- Card readers
- POS systems
- Store networks and wireless access routers
- Credit card storage and transmission
- E-commerce applications and web services
- Phone numbers from over-zealous, flirtatious, househusbands or housewives.
The PCI DSS standards are in place to give merchants, like you, a step by step list of what you need to do to meet compliance standards so that you’re not schooled by the terrifying PCI SSC humans. This standard consists of 12 requirements that are fairly direct in their instructions on what one must do to be compliant (it no longer involves a riddle and a troll named rumpelstiltskin). What’s more, the PCI Security Standards Council even explains why you should put each of the requirements in place. Get a copy of the PCI DSS 3.0 requirements at https://www.pcisecuritystandards.org/security_standards/index.php. It is also required that your business maintains current compliance at all times. Small merchants can do this by filling out an annual self-assessment questionnaire (SAQ) and fulfilling any other compliance validation requirements set by their merchant bank such as Security Scanning to PCI Compliance. It’s very easy to “fall out of” compliance; for example, failing a PCI Security Scan, forgetting to renew malware, etc. If at any time your business is not in complete compliance, your business will be liable should you suffer a security breach. The PCI SSC will come for you. They’re like the Russian mafia, only not at all. Still, you don’t want to get on their bad side.
The ability to accept credit cards is absolutely necessary for business owners to conduct business regardless of size. Losing the privilege to process cards could mean bankruptcy for even the largest corporation. You don’t want your children to end up like that little orphan girl in Annie (the original, not the remake), so please, make sure you’re compliant.