PCI (payment card industry) compliance may not be an expression you hear often as a business owner. However, non-compliance has noteworthy impact to the level of risk your business assumes in payment processing if you accept credit and debit cards from customers as a form of payment.
Despite the media headlines that tend to focus on significant data breaches that impact major retailers and government entities — and the millions of customers whose data may be at risk when such a breach occurs —businesses are especially at risk for a payment security breach. In fact, experts estimate over 60% of security breaches target small- to medium-sized businesses. Often, smaller businesses are targeted purely because they are perceived as easy targets by hackers who presume (often, correctly) that a small business won’t have the proper security standards in place that make it difficult for thieves to access sensitive payment data that they can use to commit further fraud.
Though PCI compliance standards have been in place since 2006, there remains quite a bit of misinterpretation and bewilderment about what it means to be PCI compliant, and why it matters for the protection of your customers and company. Here are some regularly asked questions about PCI compliance.
Am I legally required to follow PCI compliant standards to accept credit and debit card payments?
PCI compliance (which is short for “payment card industry”) isn’t the law, but it’s a set of security standards that was established in 2006 by leaders in the payment card industry to protect payment networks, processors and financial institutions, businesses that handle sensitive customer payment data, and customers who pay using credit and debit cards. Though you cannot be legally held liable for not being PCI compliant, you can be if your business is involved in a breach and is found to not be PCI compliant. Depending on the nature of the breach and its impact, you could be subject to thousands of dollars in fines, fees — and, possibly, lawsuits.
Isn’t my business too small to worry about a breach?
All businesses that accept customers’ credit and debit cards for payment is responsible for protecting the sensitive data that corresponds to the payment method and the processes followed during the verification and approval of it throughout and after transaction processing. Under PCI compliance standards, sensitive data refers to information such as a customer’s 16-digit account number and/or the account number with the customer’s name, expiration date, service code, information on a card’s magnetic strip, and security codes on a card.
With that said, the payment card industry security standards distinguish which PCI compliance standards merchants should follow based on the number of credit and debit card transactions they process over the course of a yearlong period and the payment brands they accept. For example, small businesses that process less than 20,000 transactions online, or less than one million credit or debit transactions in any channel, should follow Level 4 PCI compliance standards. This includes using payment acceptance and processing pages that are delivered directly from a third-party, PCI-validated service provider.
Don’t all payment processors guarantee PCI compliance?
A payment processor that touts a “secure transaction” and that guarantees PCI-compliant processing aren’t essentially one and the same. When you partner with payment processors that guarantee PCI compliance throughout the complete transaction process, you have the assurance that they use tokenization technology and current encryption designed to protect sensitive data, and that their processes are current with the latest iterations of PCI compliant standards that change as technology and breach sophistication evolves. Additionally, PCI compliance isn’t just about what happens behind the scenes in transaction processing: PCI-compliant standards note that a business should not maintain records of customer’s credit card number in writing, even in circumstances when payment processing terminals temporarily malfunction.
Does PCI compliance mean I can’t accept credit cards by phone?
No, but it does summarize specific standards that call centers should follow when processing customers’ payment information by phone, including never retaining the 3 or 4 digit verification number on the card, or the full 16-digit personal account number.
How do I know if my business is PCI compliant?
PCI compliance is a mixture of using PCI-compliant payment processors and maintaining the security of your business’s IT infrastructure, hardware, software, networks and POS processes. The PCI security council recommends that all organizations that accept debit and credit cards conduct internal and external vulnerability scans at least once every quarter. An external PCI-compliance scan reviews external network connections that hackers could infiltrate from outside the network; internal scans validate the security of networks, firewalls, point-of-sale equipment, computers and devices used in your business that could be penetrated. There are many vendors who provide for-hire solutions to help small businesses conduct audits to detect probable vulnerabilities that could lead to a breach if left unsolved.
PCI compliance involves added measures on your part, but acquainting yourself with the security standards and implementing them into your processes are well worth the effort when it comes to protecting your business’s exposure to risk.