We get a number of questions from our clients about PCI (Payment Card Industry) compliance – that’s expected. What we DON’T expect are questions from our clients wondering if PCI compliance is “real” or only something for which to charge them extra. Questions like that represent a significant misunderstanding about PCI compliance – a topic on which we hope to shed some light.
The BasicsIt’s important for customers to know their information is safe when they use their debit or credit cards to purchase products or services. The number of payment security events in recent years has grown, resulting in the absolute necessity that sensitive data is protected. Doing business should be based on trust (between businesses and their customers) and PCI compliance helps improve the level of security at the business level while protecting and enhancing the trust you build with your customers. Technology is developing so fast that there is a growing number of fraudulent activities and few businesses are immune regardless of their size. That’s why EVERY merchant processing transactions must be PCI compliant.
What Does PCI Compliance Involve?Becoming PCI compliant involves undergoing a PCI auditing procedure to meet the requirements of the mandatory PCI Data Security Standard. The requirements depend on the dollar amount of processed transactions per year and merchants are separated into 4 different levels. Level 1 pertains to merchants that process the highest amount per year, and Level 4 requirements are designed for merchants processing the smallest amount. PCI compliance requirements apply to both the administrative and technological side of running a business and they are updated regularly. PCI compliance is an ongoing process and responsibility, so a security strategy needs to be part of your business. Requirements dictate regular analysis of your processes and technology and routine updates to ensure that all vulnerabilities that could expose cardholder data are discovered and addressed. The process to become PCI compliant, and then to maintain compliance, can be somewhat daunting, without assistance. But the consequences of noncompliance are worse.
The Cost of NoncomplianceThe initial financial consequence of not being PCI-compliant can range from $5,000 to $500,000, in the form of a fine which is levied by banks and credit card institutions. Banks may levy this fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. The following table is an example of a time-cost schedule which Visa uses.
|Month||Level 1||Level 2|
|1 to 3||4 to 6||7 and on|
|$10,000 monthly||$50,000 monthly||$100,000 monthly|
|$5,000 monthly||$25,000 monthly||$50,000 monthly|