Regardless of the fact that payment card industry (PCI) compliance standards have been around since 2006, there remains quite a bit of misunderstanding and confusion about what it means to be PCI compliant and why it matters for the protection of your company and your customers. Here are some frequently asked questions about PCI compliance.
Am I legally required to follow PCI compliant standards to accept credit and debit card payments?
PCI compliance isn’t law, but it’s a group of security standards that was developed in 2006 by leaders in the payment card industry to protect payment processors, networks and financial institutions, businesses that handle sensitive customer payment data and customers who pay using credit and debit cards. Though you cannot be legally held accountable for not being PCI compliant, you can be if your business is involved in a breach and is found to not be. Depending on the nature of the breach and its impact, you could be subject to thousands of dollars in fines, fees — and, potentially, lawsuits.
Isn’t my business too tiny to worry about a breach?
Any business that accepts customers’ credit and debit cards for payment is responsible for protecting the sensitive data that corresponds to the payment method and the processes followed during the verification and approval of it throughout and after transaction processing. Under PCI compliance standards, sensitive data refers to information such as a the 16-digit account number and/or the account number with the customer’s name, the service code, the expiration date, information on a card’s magnetic strip and security codes.
That said, the PCI security standards distinguish which compliance standards merchants should follow based on the number of credit and debit card transactions they process over the course of a yearlong period and the payment brands they accept. For example, small businesses that process fewer than 20,000 transactions online, or less than one million debit or credit transactions in any channel, should follow Level 4 PCI compliance standards, which include using payment acceptance and processing pages that are delivered directly from third-party, PCI-validated service providers.
Don’t all payment processors guarantee PCI compliance?
A payment processor that touts a “secure transaction” and one that guarantees PCI-compliant processing aren’t necessarily one and the same. When you partner with payment processors that guarantee PCI compliance throughout the whole transaction process, you have the assurance that they use current encryption and tokenization technology designed to protect sensitive data and that their processes are current with the latest iterations of PCI compliance standards, which change as technology and breach sophistication evolve. Additionally, PCI compliance isn’t just about what happens behind the scenes in transaction processing: PCI-compliant standards note that a business should not maintain records of customers’ credit card number in writing, even in circumstances when payment processing terminals temporarily malfunction.
Does PCI compliance mean I can’t accept credit cards by phone?
No, but it does outline specific standards that call centers should follow when processing customers’ payment information by phone, including never retaining the 3- or 4-digit verification number on the card or the full 16-digit personal account number.
How do I know if my business is PCI compliant?
PCI compliance is a combination of using PCI-compliant payment processors and maintaining the security of your business’ IT infrastructure, hardware, software, networks and point-of-sale processes. The PCI Security Council recommends that all organizations that accept debit and credit cards conduct internal and external vulnerability scans at least once every quarter. An external PCI-compliance scan reviews external network connections that hackers could penetrate from outside the network; internal scans validate the security of networks, point-of-sale equipment, firewalls, devices and computers used in your business that could be breached. There are many vendors who provide for-hire services to help small businesses conduct audits to detect potential vulnerabilities that could lead to a breach if left unresolved.
PCI compliance requires additional measures on your part, but familiarizing yourself with the security standards and implementing them into your processes are well worth the effort when it comes to protecting your business’s exposure to risk. Learn more with our complete PCI compliance FAQs.
About the Author
Kristen Gramigna is the chief marketing officer for BluePay, a credit card processing firm. She has more than 20 years’ experience in the bankcard industry in direct sales, sales management and marketing. Follow her on Twitter at @BluePay_CMO. Check out one of her previous posts here.