What is PCI Compliance?

What is PCI Compliance?

Many businesses who accept credit card payments have asked What is PCI Compliance?  “PCI” stands for Payment Card Industry. The PCI security standards council is comprised of representatives from the major international credit card associations including AMEX, Discover, JCB, MasterCard and Visa. In 2006, this council established the DSS, Data Security Standard, to facilitate uniformity in the credit card industry and enhance security standards to better protect card issuers, merchant processors and cardholders as well as businesses that accept cards.

PCI compliance is when a merchant complies with the standards set forth in an effort to provide improved security for the cardholder. There are various requirements that must be met in order for a merchant to be compliant. By taking the steps involved in making your business PCI Compliant, you reduce the risk of fraudulent transactions happening at your business. Regardless of what type of payment processing service you use you want to assure that your business is up to the highest security standards of processing payments. Not only will this help protect you from fraud and thievery, but it’s also a requirement by the credit card associations in most regions around the world.

Am I Compliant or Non-Compliant?

Prior to 2006, it was not a requirement for your business to be PCI compliant. However, with increases in online fraud and credit card fraud overall, the tables have turned to better fight fraud. While PCI today is not, in itself, a law, this standard was created by all the major card associations. Merchants that do not comply with PCI DSS may be subject to non-compliance fines, card replacement costs, forensic damage and other problems in the event of a data breach.
There are plenty of benefits that come with being PCI Compliant. With the continuing rise in identity theft and credit card fraud, the system used by merchants must be up to the task to protecting the number one asset, the customer. With these standards in place, it can be deterred and outright prevented, saving businesses and card issuers billions of dollars per year. By following the standards, you establish credibility with your customers while maintaining a positive reputation to help bring repeat business and new clientele.

The difficulty, especially with smaller business, is the consistency needed to maintain compliance. Much like anti-virus software, the standards are always being checked, double-checked, and changed as the need arises.

The Different Levels of PCI Compliance

The PCI/DSS has a set of levels to address different business types. Each level is dependent on how many transactions occur within a 12 month period of time. For each level, different security practices are implemented. Why the differences? If a local book store without an online presence is going to be compliant, why make a requirement for them to establish a particular level of security encryption on their online payment gateway? This multi-level system produces the best results for the different business types.

• Level 1 is associated with businesses and processors that produce more than 6 million card transactions annually.
• Level 2 is associated with businesses that produce 1-6 million card transactions annually.
• Level 3 is associated with E-commerce businesses that transact between 20k and 1 million card transactions annually.
• Level 4 is associated with E-commerce businesses that transact less than 20k card transactions annually.

A Few Examples of the DSS

• Changing the Password for equipment used in processing card payments. This reduces the risk of having vendor passwords compromised.
• Maintaining a strict and easy to understand company policy regarding customer privacy and card data security.
• Maintaining and update anti-virus software regularly.
• Assigning individual logins for each employee accessing the computer or register.

(Source – Better Business Bureau)

Why Pay for PCI compliance?

You are going to pay for PCI Compliance for the same reason you pay for the ability to process card payments. You make the effort and become PCI compliant for the same reason you pay for advertising. You have invested time and money in building your business. Paying for PCI Compliance is like paying for insurance.

PCI performs annual compliance checks on businesses. For larger volume businesses, they may have an externally-qualified security advisor conduct a Validation of Compliance. In smaller volume businesses, they may request a self-assessment questionnaire be performed. No federal law has been passed that requires these practices to be followed. Some state laws, however, have been passed to ensure practices similar to the PCI/DSS.

Cardholder information theft is a pathway to all things bad for businesses. It starts with a card number and a name. From there, a criminal can do anything from making fraudulent charges with the card to all-out identity theft. Security practices in place with merchants that accept card payments go a long way to help credit card fraud prevention. The PCI/DSS is an industry standard set up by a governing body of representatives from several card companies to help you provide secure payments for your customers.