ALL businesses that process credit cards – whether they process a few transactions a year or thousands – are required to comply with PCI compliance standards. In 2006, the major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) established the Payment Card Industry Data Security Standard (PCI DSS) to prevent cardholder data theft. PCI is an ongoing obligation and annual validation is required in order to ensure compliance.
As merchants think about credit card acceptance, they should also keep in mind their responsibilities as mandated by the credit card associations. Below are a few bullet items to give merchants a better idea of their PCI obligations.
Who Overseas PCI and why be Compliant?
The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
Why should a merchant strive to comply with PCI? The most basic answer is simple: if not, the associations will levy a fee on a monthly basis for as long as a business is out of compliance! But just as importantly, businesses should want to be compliant in order to ensure that their client’s identity is protected and the business is not exposed to unnecessary legal risk. By letting your clients know that you are PCI complaint you give them the confidence that their confidential information will be safeguarded.
What does it take to become PCI Compliant
Becoming PCI compliant is not necessarily intuitive and businesses will want to find a provider that can walk them through step by step what to do. Measures often include, but not limited to the following:
· Determine your validation type
· Complete and report an attestation of compliance and Self-Assessment Questionnaire (SAQ) annually
· Complete and report quarterly results of all external vulnerability assessment scans performed by an Approved Scanning Vendor (ASV)
· Create and annually update an information security policy
Becoming PCI compliant is required no matter what method a merchant uses to accept credit cards – i.e. terminal, virtual terminal, POS, mobile payments, etc.
Network Scans
A network scan is carried out remotely. It is an automated tool that checks potential risks on the system a merchant uses for credit card acceptance. The scan is meant to identify vulnerabilities that hackers can abuse to get information from a merchant’s private network. A scan is carried out once a quarter or every 90 days.
Penalties for noncompliance
The credit card associations have given themselves the right to fine a merchant (through the issuing bank) anywhere from $5,000-$100,000 per month for PCI compliance violations. Ultimately, if a merchant is not PCI compliant, the associations can terminate their relationship with a business. Generally, penalties are not made public or publicized but being blacklisted will terminate a business’ ability to accept credit cards.
Complying with PCI when a merchant signs up for credit card acceptance can help the business both reduce risk exposure and avert potentially costly consequences.