Everything You Need to Know About PCI Compliance
By Jasmine Glasheen
If PCI compliance was a hot topic before the highly-publicized retail data breaches of 2018, then in the time since the breaches came to the surface the topic of PCI compliance has become positively trending. Since January of 2018, a minimum of 11 well-known retailers ––including Saks Fifth Avenue, Marriot Hotels, Planet Hollywood, Adidas, and Under Armour’s MyFitnessPal app, among others–– have reported large-scale customer data breaches within their companies.
The average cost of a data breach is on the rise. NBC News reports that a single data breach costs a company an average of $3.86 million, with the average cost for each lost or stolen record coming in at a whopping $148 per customer. And customers don’t just ‘forgive and forget’ when retailers fail to protect their personal or payment data. A recent study by KPMG found that 19% of customers would stop shopping with a retailer forever after a data breach and 33% would take a break from the retailer for “an extended period of time.”
By ensuring that your business is PCI compliant you can prevent data breaches from wreaking havoc on your company’s reputation, relationship with customers, and bottom line –– so let’s take a look at everything you need to about PCI compliance to run a successful business.
What does PCI stand for?
PCI actually stands for Payment Card Industry, but it is normally used as an acronym for the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of security standards put in place to ensure that companies which process or transmit customer payment information are doing so in a secure way. A few major credit card companies – Visa, Discover, Mastercard, American Express and JCB – banded together to create the PCI Security Standards Council (PCI SSC), which oversees the development and implementation of security standards to ensure that organizations are protecting customer data in the best way possible.
Where can you find a PCI compliance checklist?
Although PCI compliance isn’t federally mandated for small businesses, most states have laws from the PCI DSS in place to protect consumer payment information. Many of the larger credit card companies require businesses to be PCI compliant once they grow to a certain level (and we will talk about the various compliance levels in a moment). However, to ensure your business is PCI compliant without the help of your credit card company, you can self-assess your business through the PCI Compliance Checklist offered by the PCI SSC.
What is a PCI compliance manager?
A PCI compliance manager is a PCI SSC Qualified Assessor, or a member of an independent security organization that’s been certified by the PCI SSC to asses companies and organizations for PCI compliance.
Failing to maintain PCI compliance can cause your company to be subject to a class action lawsuit and/or a fine of up to $5,000 to $100,000 a month (that your company is in violation) in addition to the inevitable loss of business that happens when a data breach compromises customer payment information.
However, you may opt to partner with a PCI compliant credit card company and a PCI compliant merchant services provider to eliminate your risk of non-compliance.
PCI compliance levels
There are 4 levels of PCI compliance, and which category your business falls under is determined by how many transactions your business processes annually. Let’s take a quick look at what 3 of the top credit card companies require for each level, keeping in mind that credit card processing companies outside of the 3 we cover here– such as American Express – have different minimums for each PCI compliance level.
Level 1: This is the highest level of PCI compliance. To require Level 1 PCI compliance, a business needs to process over 6 million transactions on Mastercard, Discover, or Visa cards.
Level 2: Level 2 PCI compliance is required of businesses that process 1 to 6 million transactions on Mastercard, Discover, or Visa Cards.
Level 3: For a business to need to be Level 3 PCI compliant, it needs to process 20,000 to 1 million transactions via Mastercard, Discover, or Visa.
Level 4: This is the most basic level of PCI compliance, and it’s required of all businesses that process under 20,000 transactions a year on Mastercard, Discover or Visa.
Who is responsible for PCI compliance?
There’s a common misconception that PCI compliance is presided over by the PCI SSC and that it’s their job to ensure all companies meet security standards, but it is not actually the PCI SSC’s job to ensure that your business is PCI compliant.
Although PCI compliant merchant services providers can ensure that your business is PCI compliant, it’s also not your merchant service provider’s job to ensure that your business meets compliance standards, unless it’s explicitly outlined in your contract with that business. But in the end, the burden falls on the business owner (you) to achieve and maintain PCI compliance.
How do you become PCI compliant?
There are a few ways to ensure your business is PCI compliant. First, you can do a self-assessment of your business through the PCI compliance checklist, as mentioned above.
Second, you can work with a PCI certified merchant services provider. Some merchant services providers will add a PCI compliance fee to your bill, although certain payment processors, such as Payment Depot, provide PCI compliant processing as part of their value proposition at no additional charge.
Third, you can work with a PCI-approved scanning vendor, which we will talk about in more detail about in a minute.
What is a PCI audit?
If you don’t see a PCI compliance fee on your bill, it’s worth touching base with your payment processing company to ensure that this is something they’re providing so you don’t get hit with any nasty surprises, such as a PCI audit that your business isn’t prepared for.
Keep in mind that all businesses that process customer payment information are subject to PCI audits by PCI SSC qualified assessors. Businesses that fall under Level 1 PCI compliance will need to do an annual audit, which means a PCI SCC certified assessor will put your business through PCI testing to ensure your security measures are up to snuff.
Any suspicion of a PCI compliance violation is enough to merit an additional audit. If your business passes the PCI audit you will receive a PCI certification that proves that your business if taking all of the necessary measures to protect customer data.
What are PCI-approved scanning vendors?
The easiest way for your business to become PCI certified is by working with a PCI-approved scanning vendor (ASV). PCI-approved vendors are merchant services providers that are certified in the fine art of helping businesses like yours achieve PCI certification, so they can cut through the confusion of trying to become PCI certified on your own.
By working with a merchant services provider that is PCI certified and potentially enlisting a PCI approved scanning vendor to double-check your internal operations, you’ll be able to eliminate the risk of a data breach happening at your business and you’ll be able to ensure all of your customers that their payment information is 100% secure.