For the last year or so we’ve been talking quite a bit about EMV (Europay, MasterCard, Visa) also known as Chip card or Chip and PIN card, but we shouldn’t forget that PCI also impacts business owners and merchants every day. The payments world is full of what we fondly refer to as alphabet soup, those acronyms and abbreviations related to credit card processing and data security. Each time you open your bank statement you’re reminded of them, but do you really know what PCI-DSS stands for and why it is important?
PCI-DSS stands for Payment Card Industry Data Security Standard. It is a set of requirements created to keep customer payment card data secure. All companies that process, store, or transmit credit card information are required to comply with PCI-DSS.
Benefits of Compliance:
Compliance with PCI-DSS assures that your systems meet payment card industry standards for data security. Aside from the security your business receives by being PCI-DSS compliant you benefit as well from increased customer confidence and trust, which in turn may increase sales and customer loyalty. Knowing that their information is more likely to be safe and secure, customers are more likely to do business with you again, and recommend you to others.
PCI-DSS compliance is a requirement for processing, passing and or storing credit card data.
Consequences of Non-Compliance:
There are penalties and consequences if your business is not PCI compliant and you experience a data breach. One data breach, no matter the amount or size of the breach, could put you out of business. Merchants that are not PCI-DSS compliant will face fines associated with a breach from the payment card issuer, and may also be subject to claims for damages from the victims whose information was stolen. Merchants may also experience significant damage to their reputation, and a loss of customer trust.
How to become PCI Compliant:
he first step is to review the PCI-DSS Quick Reference Guide. This guide is provided by the PCI Security Standards Council and will assist in understanding the full scope of being PCI compliant.
Next, you want to evaluate the systems you use to run your business. Depending on the nature and scope of your business operations, you may be required to complete a self-assessment questionnaire, or you may need to engage a third-party assessor to review your systems and processes. The way your business accepts credit cards, such as card-not-present (e-commerce) or through a payment terminal, may also affect which requirements you must meet. Based on the results of the evaluations, you may need to upgrade your systems and processes, or add additional hardware and/or software security.
One of the most frequently asked about general requirements- The Vulnerability Scan:
While there are many requirements under the PCI compliance rules, one of the most frequently asked about is the Vulnerability Scan. Businesses that have external-facing IP (Internet Protocol) addresses connecting to their cardholder data must complete a scan every quarter, and after any significant change in the network, by a PCI approved scanning vendor. The scan will identify security threats, such as outdated versions of software, or misconfigured networks.
If an issue is found, merchants will be required to go through a defined process to fix the issues to meet this requirement for PCI-DSS compliance.
Merchants, software and hardware vendors alike, we must all do our part in demonstrating compliance. Whether you are a large merchant that must go through a full ROC / Assessment process or you are a mid/small merchant able to take advantage of a self-assessment, each year you must submit the assessment you’ve completed to the acquiring bank and processor partner that you do business with.
It takes time and effort to maintain your PCI- compliant status, but it is well worth it. Having your customers’ trust and confidence goes a long way in today’s credit card acceptance environment. “You’ve worked hard to build your business, make sure you secure your success by securing your customers’ payment card data.”- PCI Security Standards Council website