If you accept credit cards at your business, you’ve no doubt heard of PCI compliance. You might know that you need to be compliant. You might have a vague idea of the steps you need to take to protect card data.
You probably realize it’s important, somehow. But you might not know what it is, really.
We’re here to break it down for you.
PCI compliance, defined
PCI compliance might confuse you. It might stress you out. It might even scare you. But, honestly, that’s probably just because you’ve made it out to be more than it is. Sure, it’s a serious matter and it’s important, but it’s not difficult to be compliant if you know what steps you need to take.
So, here it is.
The Payment Card Industry (PCI) has come up with a list of requirements that all merchants need to meet in order to keep their customers’ credit card data safe and, thus, be in compliance with the regulations.
That’s it.
What does it mean to be PCI compliant?
Being compliant simply means that you’ve taken the steps required to handle credit card info in a secure manner to reduce the risk of having that data stolen.
It means you’ve assessed your card handling procedures, your business processes, your IT infrastructure, and your payment hardware to identify and address threats that might compromise card data.
Who needs to be compliant?
You might think that because you only accept credit cards online or you’re such a small store that PCI compliance doesn’t apply to you, but this is a common misconception that could get you in trouble.
The fact is every business that processes, stores, or transmits credit card data must be compliant and provide compliant reports to the credit card companies they work with. It doesn’t matter how you accept cards, how much volume you process, or how big or small your company is.
That being said, there are four different levels of compliance with unique requirements based on your company's total annual transaction volumes.
The Payment Card Industry Security Standards Council takes credit card security seriously, and a lack of knowledge or ignorance on your behalf isn’t an excuse to be non-compliant. Compliance is your responsibility.
How to become PCI compliant
There are many steps you may need to take to become PCI compliant. One of the best things you can do, however, is invest in the right technology. For example, data encryption and tokenization offer extra layers of payment security that prevent sensitive card details from being stored in their original form.
Tokenization replaces credit card data with a “token,” so the real card numbers are never stored but the card can be used for future transactions, such as with “one-click” online checkouts. This can help ensure secure card transactions and reduce your financial and legal responsibilities in the case of a breach.
Using a cloud-based payment gateway can also help since it stores sensitive card data offsite on PCI-compliant servers for ultimate security.
Other steps you may need to take include:
- Not writing down customers’ card data for orders taken over the phone
- Not storing original credit card data for future transactions
- Upgrading to a PCI-compliant POS system and payment terminals
There are many other requirements you may need to take in order to be fully compliant. Visit the PCI Security Standards website for a complete list of requirements based on your transaction volume. Above and beyond meeting the requirements, you’ll also be required to fill out the PCI DSS Self-Assessment Questionnaire, a checklist up to 87 pages long, to prove your compliance.
What can happen if you’re non-compliant
Sure, you can get away with being non-compliant for a while, maybe even years. But this is a seriously risky game to play.
That’s because you can face steep fines and penalties if you’re found to be non-compliant after a data breach. And FYI, data breaches have been occurring more and more often, and they don’t just involve huge corporations – those are just the only ones that make it to the news.
Thinking, “it’ll never happen to me” is a huge mistake. And it could lead to $100,000 in fines a month!
If a breach or financial attack occurs and your business has been found to be PCI compliant, it will lessen your liability.
Of course, you want to protect your customers’ data. You also want to protect your reputation and your bottom line. PCI compliance helps you do both. These credit card rules and regulations are in place to protect everyone involved from data breaches and financial attacks. It pays to ensure payment processing security and stay PCI compliant.