For most merchants PCI Compliance and its components seem to be a daunting, confusing task (and for most banks and processors as well). Making sure you align yourself with a Merchant Services provider, like our team at Renaissance Solutions Group, to guide you through the process - minimizing your time, work, and cost, becomes even more critical to the success of your business.
With an increase in data breaches at major retailers (Target, Home Depot, etc.) the importance of protecting customer payment card data is continuously increasing. As we covered in a recent blog post "Does Your Business Need EMV (Smart Chip) Terminals?" there has been a switch to more secure credit cards for in-person transactions, however perhaps an issue of even greater importance to all retailers charged with protecting customer data is PCI compliance, or being compliant with the PCI standards.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
Who Needs to be PCI Compliant?
If your business takes credit cards as a form of payment, you need to be PCI compliant. It does not matter how many sales you have, the size of your company or the method in which you're taking credit card information - PCI applies to any organization that has any customer paying with a credit card.
What Happens if You're Not PCI Compliant?
Not being compliant with PCI standards can cause a huge blow to your business - not only in fines but with your reputation should there be a breach. The PCI Security Standards Council (PCI SSC) continually monitor occurrences of account data compromise covering the full spectrum of organizations, from very small to very large merchants and service providers.
For being found not compliant with PCI standards you could face regulatory notification requirements, financial liabilities (fees and fines) and litigation in addition to the hit to your business's reputation and loss of customers.
PCI Compliance Fines
Penalties for not being PCI compliant are not widely publicized but they can be paralyzing to a small business. The payment brands, i.e. Visa, AmEx, Discover, MasterCard, distribute fines from $5,000 to $100,000 per month for PCI compliance violations to the bank. The bank then passes the fines down to the violating merchant and usually ends their relationship with the merchant or increases fees - making it much more expensive to accept credit cards as payment.
How to Become PCI Compliant
Whether you're assessing your current PCI compliance status or you're starting a new business and want to make sure you are PCI compliant, follow these two steps to making sure that when you accept credit cards as forms of payment that you are not exposing customers to risks of data breach and that your business will be safe from fines.
Step 1. Determine Which SAQ Type(s) Applies to Your Organization
Self-Assessment Questionnaires (SAQs) have been provided by the PCI SSC in order to help your organization comply with PCI standards. You can find the "Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire" on the PCI Security Standards Council (PCI SSC) website or click the title to download a print version.
Below is an image that gives a brief overview of the different types of SAQs that could apply to your business. Click the image to help determine which Self Assessment Questionnaire you should use to check your PCI compliance status.
click image to enlarge
click to enlarge
Step 2. Follow the SAQ that Best Applies to Your Environment
Once you have determined which set of questions will apply to your business (SAQ Type) then use this link Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire to go through your self assessment regarding PCI compliance.
Maintaining Your PCI Compliance
PCI SSC Website - Your Best PCI Compliance Resource
As you know, compliance is an ongoing process, not a one-time event. In order to maintain your PCI compliance return to the PCI Security Standards Council website each year to review updated self-assessment questionnaires and sign-up for periodic updates from the Council.
PCI Compliance Questions
Attaining and maintaining compliance is never an easy process, but the resources available by the PCI SSC and the resources you have at Renaissance Solutions Group can help. It is your job, as the retailer or merchant, to protect your customer's data from theft and we want to help you. If you have any questions about PCI compliance please contact Renaissance Solutions Group at (440) 853-6710 or use the contact us form on the website.