Do I Need to Be PCI Compliant?

Sandra Wrobel-Konior — June 9, 2017

— June 9, 2017

Do I Need to Be PCI Compliant?

geralt / Pixabay

You’ve just made the decision that you want to start an online business. You’re going to sell products on the internet which also means that you need to find the best payment methods, but you’re not sure what are the requirements for merchants.

Today we’ll answer one of the burning questions: Do I need to be PCI compliant?

In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.

One of the main problems with PCI DSS for merchants is that it’s an extremely technical subject, so they understand barely anything when they try to get more information about the requirements and security standards.

The good news? We’re here to help.

First: What is PCI compliance?

In short, PCI DSS is a set of regulations created by major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB. This scheme requires organizations to comply with 12 general data security requirements that every merchant needs to follow. There are also over 200 sub-requirements, but not all of them may be applicable to you. It depends on your business.

Here are the 12 main PCI DSS requirements that merchants must meet:

Goals PCI DSS Requirements

Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software or program
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need to know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security for all personnel

Source: https://www.pcisecuritystandards.org

Note that general requirements apply to all merchants, regardless of their size or volume of transactions.

What’s more, there are four different levels of compliance and each one comes with the requirements for merchants. It all depends on the transaction volume they process annually. Generally speaking, merchants under level 4 process the smallest amount of transactions per year ($ 20,000) and those under level 1 — the highest (over 6 million in transactions annually).

Depending on how the merchant is going to process, store or transmit card data, they need to fill in multiple Self Assessment Questionnaires (SAQ). The main difference between the levels is that, for example, level 4 comes with a self-assessment only, while level 1 certification requires an audit processed by a Qualified Security Assessor (QSA).

Even though PCI DSS is not part of any law, this is an internationally-used set of regulations which comes with significant penalties and costs for organizations that don’t apply to the requirements.

What if I am not PCI compliant?

Being out of compliance can lead to serious security incidents so to avoid the risk of data breaches that could highly damage your brand – so it’s better to comply with PCI standards.

There are also other reasons.

You need to know that every breach comes with more checking and validating your business to find out if you’re PCI compliant. Keep in mind that non-compliant companies face heavy fines as a consequence. Consumer fraud resulting from data breaches comes with losses incurred by issuing banks, so a company that doesn’t protect payment card information well enough needs to pay the estimated losses.

Strictly speaking, if you’re into selling online without being PCI compliant, you need to prepare not only for the potential security risks, but also for penalties, such as monthly fines that could even reach $ 100,000. The fine amount depends on a company’s transaction volume, the number of PCI DSS requirements violated, etc. And you will need to pay it until you address the issue.

Also remember that data breaches and other security consequences could result in a loss of brand reputation, as well as losing customers.

And, without a doubt, the data breach could be devastating for your business. You could even lose the right to accept payment cards. Then, all the consequences can lead to going out of business.

Is that what you want?

What’s more, companies need to provide their acquiring bank with ongoing information and prove their ability to prevent data breaches. If they don’t meet these conditions, they can lose their ability to process card payments.

Getting compliance on your own is not the easiest task and it takes weeks. In short, you need to submit the application and prepare for the long and expensive process. Each level comes with filling in the self-assessment questionnaire and the whole procedure is getting much more complicated for the highest level (Level 1).

That’s why most of the merchants prefer to work with payment providers that cover all the PCI issues so they don’t even have to think about it.

Staying out of the scope of PCI compliance (is that possible?)

As you can see, going under PCI requirements could lead to a wide range of struggles for merchants – but it is possible to leave all the paperwork to someone else.

The good news is that you can choose a payment provider, which complies with the PCI DSS, and which can process, store or transmit card data, so you can avoid the whole struggle with PCI. This means that the payment company you work with processes the payments itself, so your website doesn’t touch customer’s cards details. They take all the PCI burden themselves.

To stay assured that PCI compliance is handled properly and that both yours and your customers’ data is safeguarded against potential breaches, pick a payment provider that meet all the PCI Level 1 compliance standards — the highest PCI level with the strictest requirements.

When you choose a payment gateway, such as SecurionPay, you can be sure that your payments will be highly secure and processed under PCI requirements without any extra costs.

There are no hidden or additional fees so you always know how much you will pay from the very start. You know for certain that both you and your customers are fully protected, as each transaction is encrypted and the data is tokenized.

Leave it to us and let us deal with the banks on your behalf. All sensitive data is handled by us, so you’re staying out of the scope of PCI compliance.

A huge relief, don’t you think?

Conclusion

To sum up, PCI DSS standards apply to all types of companies that ask for credit card information. The main goal of the compliance is to protect the privacy and security of sensitive card data by delivering recommendations on how to secure online business.

Remember that PCI compliance is not dictated by the volume of transactions, each merchant is responsible for their customer base. All in all, you can find a payment provider that knows how to handle all kinds of data and takes all the PCI burden on themselves.

Want to add something? Go ahead, leave a comment!

Business & Finance Articles on Business 2 Community

Author: Sandra Wrobel-Konior

View full profile ›

(50)