5 Frequently Asked Questions About PCI Compliance
Every business that accepts credit or debit cards must comply, regardless of what processing method they use.
Even though PCI compliance standards have been in place since 2006, there remains quite a bit of confusion about what it means to be PCI compliant, and why it matters for the protection of your business and customers. To learn more, here are the answers to some commonly asked questions about PCI compliance:
Am I legally required to follow PCI compliant standards to accept credit and debit card payments? PCI compliance isn’t law, but it’s a set of security standards in the payment card industry to protect payment networks, processors, financial institutions, businesses that handle sensitive customer payment data, and customers who pay using credit and debit cards. Though you cannot be legally held accountable for not being PCI compliant, you can be if your business is involved in a breach and is found to not be PCI compliant. Depending on the nature of the breach and its impact, you could be subject to thousands of dollars in fines, fees and potential lawsuits.
Isn’t my business too small to worry about a breach? Any business that accepts credit and debit cards for payment is responsible for protecting the sensitive data it holds. They also must protect the processes followed during the verification, approval of payments and post-transaction processing. Under PCI compliance standards, sensitive data refers to information such as a customer’s 16-digit account number and/or the account number with the customer’s name, expiration date, service code, information on a card’s magnetic strip, and security codes on a card.
That being said, the payment card industry security standards distinguish which PCI compliance standards merchants should follow based on the number of credit and debit card transactions they process over the course of a 12-month period and the payment brands they accept. For example, small businesses that process fewer than 20,000 transactions online, or fewer than one million credit or debit transactions in any channel, should follow Level 4 PCI compliance standards. This includes using payment acceptance and processing pages that are delivered directly from a third-party, PCI-validated service provider.
Don’t all payment processors guarantee PCI compliance? A payment processor that touts a “secure transaction” and that guarantees PCI-compliant processing aren’t necessarily one and the same. When you partner with payment processors that guarantee PCI compliance throughout the entire transaction process, you have the assurance that they use current encryption and tokenization technology designed to protect sensitive data. Plus, you’ll know their processes are current with the latest iterations of PCI compliant standards that change as technology and breach sophistication evolves.
Additionally, PCI compliance isn’t just about what happens behind the scenes in transaction processing. PCI-compliant standards note that a business should not maintain records of customer’s credit card number in writing, even in circumstances when payment processing terminals temporarily malfunction.
Does PCI compliance mean I can’t accept credit cards by phone? No, but it does outline specific standards that call centers should follow when processing customers’ payment information by phone. These rules include never retaining the three or four-digit verification number on the card, or the full 16-digit personal account number.
How do I know if my business is PCI compliant? PCI compliance is a combination of using PCI-compliant payment processors and maintaining the security of your business’s IT infrastructure, networks, hardware, software and point-of-sale processes. The PCI security council recommends that all organizations that accept credit and debit cards conduct internal and external vulnerability scans at least once every quarter. An external PCI-compliance scan reviews external network connections that hackers could penetrate from outside the network. In comparison, internal scans validate the security of networks, firewalls, point-of-sale equipment, devices and computers used in your business that could be breached. There are many vendors who provide for-hire services to help small businesses conduct audits to detect potential vulnerabilities that could lead to a breach if left unresolved.
PCI compliance requires additional measures on your part, but familiarizing yourself with the security standards and implementing them into your processes are well worth the effort when it comes to protecting your business’s exposure to risk.
Editorial Note: Any opinions, analyses, reviews or recommendations expressed in this article are those of the author's alone, and have not been reviewed, approved, or otherwise endorsed by any of these entities.