It can be hard to sift through the technical details, but if you do business on the Internet, you need to know about being PCI compliant. Its not only an integral part of protecting customer security, as well as important to your customer relations, but you could face severe financial repercussions for failing to be PCI compliant. Below is most everything you need to know about breach culpability, compliance fines, and PCI compliance for small businesses.
What is PCI Compliance?
PCI (“Payment Card Industry“) compliance is a set of rules intended to ensure the safety of consumer credit and debit card information. The current iteration of PCI compliance rules launched in 2006 aimed at setting standards that could improve customer transactions and protect user security. The PCI standards are set by the PCI Security Standards Council, an organization created by major card brands like MasterCard and Discover.
How Do You Remain PCI Compliant?
The most basic requirement fro remaining PCI compliant is 128-bit encryption protecting customer data anytime it comes into contact with your servers. However, the specific requirements for any given business varies since they are divided into one of four validation types (mainly based on the volume of card transactions undertaken each year). Merchants who suffer security breaches that lead to the compromise of data related to a customer account may have their validation level escalated
Who Does PCI Compliance Apply To?
PCI rules apply to any merchant or organization no matter how large or small, as long as they accept, store, or transit cardholder information. This means PCI rules apply to any business where the merchant receives payment with a card. PCI compliance also applies to businesses that only accept card information via phone as well as those using a third party payment processor.
Who is Responsible for Maintaining PCI Compliance?
A popular misconception regarding PCI compliance is that responsibility rests with the large institutions overseeing these transactions such as the PCI Security Standards Council. And retailers often believe that the person providing them with technology or with payment gateways is responsible for compliance. In reality, your business is entirely responsible for being PCI compliant.
Acquiring banks and payment brands (VISA, American Express, etc.) are principally responsible for making sure that compliance is enforced. The PCI Security Standards Council does not police compliance as it is enforced at the discretion of the service providers and acquirers of the merchant.
Methods of enforcement can include audits and fines. Major brands can fine acquiring banks thousands of dollars each month if there is a compliance violation. Banks tend to pass the fines on to non-compliant merchants (sometimes by increasing transaction fees).
Positives of the PCI Compliance System
Apart from the obvious advantages of protecting customer data and avoiding fines, it’s worth knowing that very few PCI compliant merchants have been breached in the nearly decade long history of the Security Council. Although being PCI compliant isn’t a requirement under the law, it clearly is a sound practice for anyone doing business in the 21st century.
Top Photo Source: Perspecsys Photos (https://www.flickr.com/photos/[email protected]) under http://creativecommons.org/licenses/by-sa/4.0