Though the Payment Card Industry Data Security Standards (or PCI DSS) applies to every merchant who accepts payment cards, many merchants lack a comprehensive understanding of what PCI is, or how it’s enforced. Unfortunately, this puts these folks at a serious disadvantage when it comes time to make decisions around PCI compliance – a particular problem for new or aspiring business owners.
So how can you explain PCI compliance and penalties to a beginner? Below are four key points to convey.
1) PCI is a set of industry rules – not a law.
One common misconception is that PCI originates with the government, like other security requirements such as HIPAA. But it’s important to note that PCI is a creation of the payment card brands. It is a necessity for merchants who wish to process, transmit, and store payment card data; it generally encourages wise and responsible security practices; but PCI is not a law.
The rules were instituted to help prevent payment card fraud for which the card brands were ultimately responsible. An independent entity – the PCI Security Standards Council – was established in the early years of the twenty-first century to manage the rules and educate the industry.
However, the Security Standards Council does not penalize merchants directly.
2) Non-compliant merchants are penalized by their acquiring banks.
If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to fines. Those fines may be steep, too. Depending on the circumstances, merchants might have to pay anywhere from $5,000 to $100,000 every month until they address all compliance issues. If they don’t resolve the problem satisfactorily, they could even have their ability to accept cards revoked.
But here’s the key thing to remember about PCI compliance fines: merchants are not fined by the Security Standards Council. Instead, the card brands penalize the merchant’s acquiring bank – and the bank has the ability to pass the loss along by assessing a fine on its non-compliant merchant.
This enforcement structure is important for merchants – particularly new merchants – to understand. Because acquiring banks bear the brunt of responsibility for merchants’ security efforts, they have a degree of flexibility in their PCI enforcement policies. And this adds another important consideration for merchants as they get to know acquiring banks.
3) Acquiring banks determine how a merchant must demonstrate compliance.
Since banks are responsible for enforcing PCI compliance, they can decide how they wish to verify a merchant’s compliance (and how they penalize non-compliance).
There are two main ways that merchants are asked to demonstrate their compliance with PCI: Merchants may either indicate compliance by working through a self-reporting checklist on their own, or they may be required to undergo a full audit by a certified third-party security expert known as a Qualified Security Assessor. Which style of compliance demonstration is required for a particular business is determined entirely by the relevant acquiring bank.
From the merchant perspective, both reporting styles have their advantages and disadvantages. Self-reporting may seem less daunting, but it also leaves room for error, including simple misinterpretation of the rules and requirements. Audits may take more work and be more costly, but they also give a merchant (and their bank) more certainty that the merchant is in compliance. Merchants should consider what each style of reporting would require of their business and discuss the topic with their acquiring bank.
4) PCI compliance rules can be a useful resource.
It’s not unusual for business owners to feel frustrated by rules and requirements like PCI. Few get excited by additional obligations that call for spending more time and money. But the most productive way for merchants to think about PCI is as a set of continuously evolving security best practices.
The network security landscape is in constant flux. New threats and vulnerabilities are constantly emerging. Simply keeping up with the most effective ways to protect an organization and its customers can be (and in larger businesses, often is) a full-time job. Yet security is increasingly essential for merchants – breaches can mean major financial, legal, and reputational damages.
Currently in Version 3.0, the evolving PCI rules are a resource for business owners, helping merchants keep their security measures current – and helping their customers do business with confidence. Business owners can make use of the PCI Security Standards Council’s website for small and medium-sized businesses to learn more about their particular compliance requirements and security strategies suited to their businesses. New business owners are encouraged to learn all they can about PCI, and use the resources available to protect themselves and their businesses.
In his role as partner with LBMC Security & Risk Services, Mark directs the firm’s resources to craft security solutions that mitigate security risks in a way that is practical and relevant to the organization’s environment. Mark has received numerous commendations for his contributions to information security on behalf of his employers and the community at large. Most recently, the Information Systems Security Association (ISSA) named Mark a Fellow, one of a handful of individuals recognized for their accomplishments in information security, leadership, and service to the association and profession.