You may have recently received some information in the mail regarding “PCI compliance.” Or, perhaps you just noticed a “PCI Validation Fee” on your monthly merchant processing statement. Or, maybe a sales representative for a merchant processor called to inform you that your credit card machine isn’t PCI compliant.
All of these are common scenarios that can lead a business owner (or manager) to begin asking questions. Although, if a sales representative calls to tell you that your credit card machine is non-compliant, chances are it’s just a ploy to sell you on their services.
In the complex world of credit card processing, obtaining straightforward answers isn’t always easy. And, PCI compliance isn’t usually something that’s mentioned much during the opening of your merchant account.
So, let’s start with the basics.
PCI compliance, in a nutshell. And yes, it does apply to your business.
First off, what does “PCI” actually stand for? Well, you know how much the financial industry loves its acronyms. PCI stands for Payment Card Industry, which is made up of the various card issuers (Visa, MasterCard, Discover, etc.). Together, they have set standardized requirements designed to ensure companies that process, store, or transmit credit (or debit) card information do so in a secure manner.
The Payment Card Industry has stated that their requirements apply to all merchants, regardless of size or number of transactions.
These requirements include, but are not limited to, the secure handling of cardholder data (account number, expiration date, name, address, etc.), the proper disposing (i.e. shredding) of cardholder data, defined procedures for employees handling sensitive information, and a secure network (phone or Internet) for the transmission of transaction information.
What should I do to make sure I’m in compliance?
The first (and perhaps easiest) thing to do is to call your merchant service provider and check on the status of your PCI validation. They’ll be able to tell you if you’re currently compliant. If you’re non-compliant, they should then be able to provide you with the appropriate steps you need to take to certify your compliance.
For some processors, this involves completing a questionnaire (sometimes over the phone or online), in which you’ll be asked a series of questions regarding your handling of information. For merchants who process over the Internet, you might also be asked to perform a vulnerability scan of your network.
Certifying your compliance benefits your business.
While it might initially seem like a hassle, certifying your compliance is something you should definitely consider. The consequences involved in a possible data security breach have the potential to be quite costly. A data breach might seem unlikely to you, but they can (and do) happen.
Most PCI certification programs carry some kind of data theft indemnification coverage, in the event that you do have a breach of cardholder data. So long as you’re complying with the PCI requirements, this coverage can range upwards of $50,000. The monthly PCI validation fee (or annual, depending on your processor) is a small price to pay for the potential costs you could face should your business not certify its compliance.