When you purchase an item, you may not think twice about handing over your credit card. But with credit card fraud and identity theft happening to more than 10 million Americans each year, you need to make sure your information is secure.
The Payment Card Industry Data Security Standards (PCI-DSS), put into place in 2008, are a group of 12 broad rules, 61 processes and 148 sub-processes that define what companies accepting credit card transactions need to do in order to protect the security of cardholders’ information.
“Businesses are required to demonstrate their compliance, depending upon the quantity of credit card transactions they process, and the nature of the technology they use to process those transactions,” says Michael R. Dickson, CPA, CISA, CISM, director, Business Technology Group, GBQ Partners LLC.
If you’re a large merchant (Level 1), you’ll be required to submit to a third-party assessment of your PCI compliance. Smaller organizations (Levels 2-4) may engage a third party to assist them in completing the annual self-assessments and quarterly security scans.
Smart Business spoke with Dickson about the PCI-DSS and how to make sure your company is compliant with these standards.
How does PCI-DSS affect businesses?
The major credit card issuers developed the standards. Their vested interest in securing cardholder data and the merchants who use their cards is to reduce fraud and prevent financial losses. Initially, each of these institutions developed their own standards. They were all similar and aimed at protecting the privacy of user information, but they had their own specific way of communicating and enforcing these rules. PCI-DSS was designed to be adaptable to all brand institutions, so a business can be confident that, if they’re following these particular standards, they are in compliance with all bank rules.
The qualified assessments or self-assessments required for compliance give information about your organization and how you conduct business with your customers. The requirements are based on your size, the nature of your technology, and how you actually process cards.
What are some key things you need to understand about being PCI-DSS compliant?
Non-compliance has consequences. Many businesses, especially smaller ones, take a rather casual approach to compliance. Oftentimes, someone in the IT department will print off a form, check a bunch of boxes to say they are in compliance with the requirements, but don’t go into detail of how they do it. The business owner then signs the form without really understanding what the requirements are, and how well their organization is doing to meet the requirements. There’s a big risk for companies that take shortcuts. Consequences include potentially huge fines and the costs of notification, not to mention the damage to a company’s reputation and revenue stream that can result from a breach in customer credit card security.
More than 38 states have laws protecting consumers from data and privacy breaches and PCI compliance is the de facto standard for best practice in credit card protections.
There are no proactive enforcement mechanisms, unless a brand merchant chooses to react to a filing that has been submitted because they think it’s substandard.
If your merchant is not satisfied with the quality of your filings, and generally deems you to be a higher risk than its other customers, it may require a third -party assessment, or may even re-negotiate your fee structure or revoke your right to process credit card transactions through its institution. The biggest risk of non-compliance is if you have a breach and someone gains access to your information, or someone inside your organization sells or publishes it. The cost of dealing with lawsuits, insurance claims, canceled accounts and a damaged reputation can and will be significant.
