Understanding PCI Compliance

 

We get a number of questions from our clients about PCI (Payment Card Industry) compliance – that’s expected. What we DON’T expect are questions from our clients wondering if PCI compliance is “real” or only something for which to charge them extra. Questions like that represent a significant misunderstanding about PCI compliance – a topic on which we hope to shed some light.

The Basics

It’s important for customers to know their information is safe when they use their debit or credit cards to purchase products or services. The number of payment security events in recent years has grown, resulting in the absolute necessity that sensitive data is protected. Doing business should be based on trust (between businesses and their customers) and PCI compliance helps improve the level of security at the business level while protecting and enhancing the trust you build with your customers. Technology is developing so fast that there is a growing number of fraudulent activities and few businesses are immune regardless of their size. That’s why EVERY merchant processing transactions must be PCI compliant.

What Does PCI Compliance Involve?

Becoming PCI compliant involves undergoing a PCI auditing procedure to meet the requirements of the mandatory PCI Data Security Standard. The requirements depend on the dollar amount of processed transactions per year and merchants are separated into 4 different levels. Level 1 pertains to merchants that process the highest amount per year, and Level 4 requirements are designed for merchants processing the smallest amount. PCI compliance requirements apply to both the administrative and technological side of running a business and they are updated regularly. PCI compliance is an ongoing process and responsibility, so a security strategy needs to be part of your business. Requirements dictate regular analysis of your processes and technology and routine updates to ensure that all vulnerabilities that could expose cardholder data are discovered and addressed. The process to become PCI compliant, and then to maintain compliance, can be somewhat daunting, without assistance. But the consequences of noncompliance are worse.

The Cost of Noncompliance

The initial financial consequence of not being PCI-compliant can range from $5,000 to $500,000, in the form of a fine which is levied by banks and credit card institutions. Banks may levy this fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. The following table is an example of a time-cost schedule which Visa uses.

Month	Level 1	Level 2
1 to 3	4 to 6	7 and on
$10,000 monthly	$50,000 monthly	$100,000 monthly
$5,000 monthly	$25,000 monthly	$50,000 monthly

So What is a Merchant Supposed to Do?

Chances are very good your payment processor offers a PCI compliance assistance program for merchants. EdgeShield® is the OpenEdge answer for our clients – an advanced security services bundle intended specifically to protect credit card data, prevent counterfeit fraud, and enhance payments security. Through a unique collection of complementary security solutions, EdgeShield delivers one of the industry’s most secure payments platforms. When integrated into systems that accept payments, the bundle protects credit card data while at rest and in transit. EdgeShield is built into the OpenEdge processing platform. The EdgeShield bundle also provides a solution to help our clients become PCI-compliant and maintain their compliance. OpenEdge’s PCI ASSURE® program is available to help clients simplify PCI compliance with online access to self-assessment questionnaires, network scans, a breach reimbursement program, and custom security profiles generated from the specific business’ individual processing activity. More information regarding EdgeShield can be found at https://www.openedgepayment.com/en/payments-security/edgeshield-security-solutions.

PCI Compliance is NOT to Be Ignored!

If your processing system is not PCI-compliant, you’re paying monthly non-compliance fees as a result. Even though PCI compliance can seem complicated, the consequences of noncompliance are often much worse. PCI compliance is required – it is not an option. And it’s just sound business if you process payments.