PCI Compliance (And Why It Really, Really Matters)
Starting a business is complicated, to say the very least. In between business proposals, SWOT analyses and market positioning, the last thing on your mind may be things like PCI compliance. So if the term “PCI compliance” sounds a bit like Greek to you, you’ll want to read this blog post.
What is PCI?
PCI, or Payment Card Industry Data Security Standard (PCI DSS), is a set of security standards that are in place to ensure that companies maintain a certain security standard in their practice of accepting, processing, storing or transmitting credit card information. Launched more than a decade ago, the PCI Security Standard Council (PCI SSC) is an independent body created by some major card brands (Visa, MasterCard, American Express, Discover and JCB) to manage the ever-changing payment landscape and ensure that the most up-to-date security measures are in place to protect cardholders. Payment brands and acquirers are responsible for enforcing PCI compliance.
Why does PCI matter to me?
PCI matters to you as a merchant, because there are certain compliance standards that any organization that accepts, stores or transmits cardholder data are held to. Cardholder data is defined by the PCI SSC as “the full primary account number (PAN) or the full PAN along with either the cardholder name, expiration date or service code.” You can find more information about what data needs to be protected here. There are four levels that merchants fall under, which are based on the volume of transactions processed. However, certain risk factors can put a merchant into a higher level based upon the card issuer’s determination.
How can I stay compliant?
Third-party processors and tokenization (like what Forte provides) are the best ways of securely storing credit card data for recurring and one-time payments. Using a third party helps move the risk of storing card data to an organization (like Forte) who has the technology in place to keep card data safe. If you prefer to store the card data yourself, have a Qualified Security Assessor periodically perform an audit to ensure that you are meeting PCI DSS specifications.
What are the penalties for non-compliance?
Although penalties vary some between the payment bands, according to PCI Compliance Guide, they may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. Usually, the bank will pass this fine over to the merchant, and will often either terminate the bank/merchant relationship or increase transaction fees. Hefty fines and being labelled as high-risk can spell big trouble for many small businesses. By establishing top-tier security practices from the start, you can potentially save your business a significant amount of financial burden in the future.
It goes without saying that protecting your business from outside threats is of ultimate importance to you as a business owner. Making sure that you’re in the know on things like PCI compliance is an important step in protecting yourself. If you need to know more about securing your payment processing, contact us to learn how Forte offers top-tier level 1 PCI compliance to our customers.