PCI Compliance and Your Business
PCI – DSS compliance within your business is extremely important. After all it is probably safe to say that next to your family your business is the most important thing in your life. So why are so many merchants offended by the PCI compliance regulations? The PCI – DSS regulations are not, despite some popular belief, a bank scam to make more money on credit card processing accounts. I believe that this view can be simply explained by realizing that PCI compliance has never been explained properly. So what I would like to do is simplify PCI by looking at:
- Who and What is PCI?
- Why should you care about PCI-DSS?
- How to be PCI compliant and register that compliance.
- The cost of being or not being PCI compliant.
- The predicted outcome of PCI compliance.
So Who and What is PCI – DSS? Quite frankly it is the unfortunate reality of an age where criminals no longer easy to spot lurking in dark alleys. Some of the country’s most cold hearted criminals look like pimple faced teenagers and white collared businessmen. They spend their days looking for newer and easier ways to literally steal peoples’ lives. PCI compliance is a big step in this modern day war and it puts you, the business owner, on the front lines of defense. PCI – DSS stands for the Payment Card Industry – Data Security Standards. These standards were created to provide security practice guidelines for business owners helping to protect their customers from identity theft.
The PCI –DSS guidelines were created as credit card fraud became an increasing problem for consumers and credit card issuing banks. Not only are consumers are loosing billions a year and demanding a safer banking system but banks are taking tremendous losses due to credit card fraud. So the card issuing banks partnered to create an independent council whose job is to analyze the credit card payment systems for weaknesses and propose best management guidelines for business owners and credit card payment companies to follow. YES, all businesses accepting credit card payments and the members of the payment card industry (financial institutions and credit card companies) must comply with the PCI – DSS standards AND register their PCI compliance or face potentially stiff penalties in the event of a security breach resulting in credit card fraud.
Why should you care about PCI Compliance? Well they might not make the headlines but a fact many business owners don’t realize is that over 80% of all identity theft breaches in the United States are within Small Businesses! It seems all we remember is when Chase, Heartland, or Sony have their systems hacked and customer information including thousands of credit card numbers are stolen. The vast majority of the credit card numbers for sale on the black market and those used for credit card fraud is traced to poor practices at a small business. There is no more valuable asset to any business than its hard earned clientele. These customers count on businesses to take reasonable steps to protect them while making their shopping experience as easy as possible. The Data Securities Standards Council not created a list of Best Management Practices as well as an enforceable list of penalties for merchants who are not compliant and have a breach in security resulting in credit card fraud. These penalties can be:
- Fines of up to $500,000
- You may be “black listed” from EVER being able to accept credit cards again
- Your business may be subject to consumer lawsuits
- Forensic investigation fees of $10-20,000
- Held responsible to reimbursement for fraudulent purchases and charge-backs incurred from use of the stolen information
- You can be held responsible for the cost of replacing your customer’s credit cards at $20-30 each!!!
PCI Compliance and the fees associated are in no way to be considered insurance, however, by registering your compliance you can alleviate or mitigate many of the liabilities and fines. Some credit card processors also offer to help to offset any fees or penalties if you are registered as compliant and have a breach. Many small businesses cannot afford to survive the mess of fines and paperwork in the event of a security breach. So PCI Compliance is not only in the best interest of your business’ most valuable asset but is a reasonable step to protect your business itself
How do you get PCI Compliant and register that compliance? It is not enough to simply purchase PCI compliant terminals or software you must adhere to the applicable policies set by the PCI - DSS (Payment Card Industry - Data Security Standards) council annually. The current version of the DSS are 12 simple things that you can check off:
1. Install and maintain a firewall configuration to protect customers’ credit card data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored credit card information
4. Encrypt transmission of CC data across open, public networks
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
7. Restrict access to sensitive data on a need-to-know basis
8. Assign a unique ID to each person with computer access
9. Restrict physical access to CC information
10. Track and monitor all access to network resources and card data
11. Regularly test security systems and processes
12. Maintain a written policy that addresses credit card data security
Once you have ensured that the 12 policies have all been addressed you will need to register that you are compliant. This is easily accomplished by contacting a Qualified Security Assessor (QSA) such as Control Scan that is approved by your Credit Card Processor and take the short Self Assessment Questionnaire (SAQ). This questionnaire will be reviewed by your QSA and reported to your processor. If your point of sale transmits data via an internet or local area network connection you will be required to have vulnerability scanning done on a quarterly basis that will identify weaknesses in operating systems, services, and devices that could be used by hackers to target the company's private network. These network scans are completed by an Approved Scanning Vendor (ASV) and are not intrusive to your daily operations.
What is the cost of PCI Compliance? The cost of PCI – DSS compliance can vary greatly and does depend on your business’ sales volume. Most businesses can expect to pay anywhere from $49 - $299 annually for registering PCI compliance. Some processors will break this cost in to monthly payments to make it easier to pay. Likewise the cost of NOT being PCI compliant can vary greatly as well. The most common practice is to issue a PCI Non Compliant fee on a monthly basis for every month that a merchant is not compliant as a means of encouraging compliance. These “fines” can range from $12 - $49/month!
What are the predicted outcomes of the enforcement of PCI – DSS compliance? It may sound overwhelming; however, achieving PCI compliance is incredibly quick and easy. As a matter of fact completing the compliance process and registration should take no more than about 1 hour a year. In that 1 hour you are taking steps to protect your customers from credit card fraud while establishing good security standards for your business.
Kinda makes you miss the days when you knew who to be afraid of doesn’t it?! A reliable credit card processor or merchant service provider can be your best partner. If you are not getting the service you deserve at price that you can afford the Merchant Doctor is here for you.
For more great information check out our post on Mobile Credit Card Payments!