PCI DSS applies to all businesses that accept card payments but many business owners don’t fully understand what PCI is and how it’s enforced.
Firstly PCI DSS stands for Payment Card Industry Data Security Standard. This standard was created by the Payment Card Industry Security Standards Council (PCI SSC) which is made up of the top 5 payment providers – Visa, MasterCard, American Express, Discover and JCB. The standard was created in 2004 with the aim of increasing controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually and is the responsibility of each business to maintain compliance.
Read our top 5 facts to help you understand what is required and ensure your business is compliant.
A common misconception is that the PCI regulations were created by the government when in fact they were created by the big 4 payment providers themselves (Visa, Mastercard, Amex and Discover). Any merchant processing, transmitting or storing card data from any of the big 4 must comply with their PCI regulations.
No matter how many payments you take or how big or small your business is if you are processing payment card data you are expected to comply with the PCI DSS guidelines. If you are a small business then it may be sufficient to partner with a Level 1PCI Compliant payment solutions provider.
While all businesses processing card payments must comply there are levels of compliance depending on the annual volume of payments you processed. The majority of SMEs will fall into level 3 or 4.
If your business is hacked and found to be breaching PCI regulations you may be given hefty fines. You may also be required to comply with a higher standard of data protection in the future. This will mean more expensive and time-consuming audits are required to regain compliance.
Validation of compliance is performed annually by a third party Qualified Security Assessor (QSA), a Report on Compliance (ROC) is written internally or self-assessment questionnaire (SAQ) is completed. The SAQ is most common for small businesses. The PCI DSS rules are also changing and are currently on version 3.2 which was released in April 2016.
While becoming PCI compliant may require an additional investment it’s there to protect you and your customers from fraud and so it is well worth the time and money invested. Start by completing a self-assessment questionnaire and finding a PCI Level 1 compliant card payment solution provider.
For more information download the PCI Security Standards Council resources for small businesses