Data security is one of the highest priorities for modern businesses. Recognizing this critical need, the five major credit card companies formed the Payment Card Industry Security Standards Council (PCI SSC). In due course, that consortium devised the new Payment Card Industry Data Security Standards (PCI DSS) to provide merchants with a set of agreed-upon standards on which to measure their network systems and security protocols concerning their handling of cardholder data. These benchmarks are now the industry standard, and PCI noncompliance can have grave consequences on many fronts.
PCI DSS COMPLIANCE DEFINED
One size does not fit all when it comes to PCI compliance. Based on the volume of credit sales conducted annually, businesses are categorized into one of four levels:
- Level 1. Merchants who process over 6 million transactions per year regardless of the payment acceptance portal they use.
- Level 2. Merchants who process between 1 and 6 million transactions annually regardless of payment acceptance portal.
- Level 3. Merchants who process between 20,000 and 1 million e-commerce transactions annually.
- Level 4. Merchants who process less than 20,000 e-commerce transactions annually and those who process under 1 million transactions per year regardless of the payment acceptance portal.
Although the PCI requirements actually consist of 12 criteria, these are often consolidated into six compliance milestones as follows:
- Minimizing the amount of data a merchant retains and removing authentication data from all networks
- Protecting the points of access for systems and networks to minimize the chances of breach
- Ensuring that the servers, controls and processes that handle cardholder data are secure
- Monitoring and controlling access to networks and systems
- Protecting all stored data
- Completing all PCI DSS requirements and instituting relevant policies and procedures.
Making every effort to understand and adhere to these milestones and their underlying standards can do much more than protect your systems and the data you store or transmit. In addition, safeguarding this information via PCI DSS compliance can ensure that your business is not subject to stringent PCI compliance penalties.
THE CONSEQUENCES OF PCI NONCOMPLIANCE
Merchants who fail to take PCI standards seriously will soon realize the error of their oversight. PCI non compliance leads to several consequences both direct and indirect. These include the following:
- The credit card industry imposes PCI compliance fines on businesses that fail to adhere to the requirements their council has set. The fines a company will pay depend on the merchant’s level, the length of time they have been out of compliance and the volume of cards they process and can range anywhere from $5,000 to $100,000 monthly.
Furthermore, you will be mandated to pay for credit card monitoring and/or identity theft insurance for all clients who have entrusted their data to your noncompliant systems.
- Any credit card companies or payment processors with whom you do business will pass on all the costs that arose from the data breach right back to you as the noncompliant party. They may also end their working relationship with you or, at the very least, raise your rates and fees.
- Whether your company is large or small, you may be sued by customers whose data was compromised due to your lack of adherence to the PCI requirements.
- The reputation of your brand may sustain permanent damage. Squandering the trust of your valued customers is a loss from which you may never recover. Your bottom line may also sustain serious harm when clients take their financial resources elsewhere and partner with another firm.
- If your company is large, the Federal Trade Commission might audit you and impose added regulations and non-compliance with PCI fines.
Because PCI fines are only the tip of the iceberg when it comes to the consequences of PCI violation, it is recommended that businesses contact and consult with a third-party assessor on a quarterly basis. This entity can guide you toward full compliance by thoroughly investigating all of your systems for vulnerability and suggesting the best way to implement improvements to guard against fraud or system breach.
Avoiding PCI DSS fines and other consequences may be the most obvious reason to strive for PCI DSS compliance, but it is far from the only compelling motivator. If the road to becoming compliant seems long, why not start with a self-assessment questionnaire (SAQ)? This tool and the questions it contains can help you and others on your management team to examine your systems internally for weaknesses in preparation for making substantive changes. You will also be able to validate the positive steps you have already taken. Think of PCI DSS compliance as one of the best ways to protect your business, the reputation of your brand and the vital data you store, manage and transmit.