The explosion in the use of debit and credit cards is not without a downside. As more and more credit cards are provided to merchants, the potential that the information will be stolen also increases. Consumers expect their card information will be handled by merchants in a secure manner. When card data is stolen, consumers feel vulnerable and may stop using certain cards or buying from the merchant that failed to protect their information.
To combat the risks, the major credit card brands built a set of requirements that are designed to ensure all businesses that process, transmit and store customer credit card information keep it secure. The Payment Card Industry Data Security Standards (PCI DSS) were born.
The initiative began in 2006 when the PCI Security Standards Council and its five founding members (VISA, MasterCard, American Express, JCB and Discover) agreed to combine their respective security standards into one security standard. The council is not responsible for ensuring compliance. Instead, that responsibility remains with the credit companies.
PCI DSS contains both operational and technical standards that merchants must adhere to. It is not a law. Rather, it is a payment industry standard that merchants must comply with if they plan to process even modest volumes of credit or debit card transactions.
The standards cover all merchants that accept and process credit card transactions. However, the standards incorporate a tiered or risk-based approach to compliance. Based on the volume of credit card transactions processed per year, a merchant falls in to one of the following categories:
Annual on-site inspection is required annually for Level 1 merchants. Merchants on the second, third and fourth tiers must fill out a self-assessment questionnaire annually to validate their compliance with PCI DSS. If a merchant has a customer facing Internet protocol address, then a quarterly network scan that will assess vulnerability of the merchant's environment is also required. Specifically, the scan will identify potential weak points within the company's network that could be susceptible to compromise by hackers.
PCI DSS contains 6 broad requirements:
The fines for failing to protect cardholder data can range from $5,000 to $100,000 per month. The fine for noncompliance is typically assessed against the bank that has provided the company with its merchant account. It is highly probable that the bank will in turn pass the fine along to the company as well as close the merchant account.
Note: If your company only processes credit card transactions over the phone, you still must comply with the standards.
If you are starting a new business, or your business is growing and moving from one transaction tier to another, consider engaging a professional services firm with experience helping companies comply with PCI DSS. Engaging a third party can ensure that your company's resources are not "conflicted" by assessing risk and also being responsible for remediating the risk. PCI DSS compliance typically includes 4 stages:
PCI DSS is essentially non-negotiable for merchants if they plan to process credit and debit card transactions. Click here for more information from the PCI Security Standards Council.
Cardholder data includes a long list of information including:
Get in touch today and find out how we can help you meet your objectives.