What You Don’t Know About PCI Compliance Could Hurt You
PCI DSS — the Payment Card Industry Security Standard — is a cornerstone of protecting the consumer financial data transmitted in credit and debit card transactions. The objectives of PCI DSS are to ensure that entities that collect payment card data do so in a manner that is secure; by requiring that companies build and maintain secure networks, control access to those networks, and do everything possible to secure and protect cardholder data, these standards help prevent the significant losses that come with major data breaches.
While most large businesses are fully aware of and compliant with PCI standards, there is still a lot of confusion among small and midsize businesses about what PCI means to them and their responsibility to adhere to the regulations. And this confusion can be costly. Businesses that comply with PCI DSS regulations and have the correct controls in place are generally granted “safe harbor” in the event of a data breach and aren’t held liable for losses attributable to the breach. Those companies that cannot demonstrate compliance also face additional fines and penalties in the event of a breach, meaning that compliance should be a top priority for any business that accepts credit and debit cards, no matter how few cards they may see in a year.
The question then becomes, “Am I compliant? Or have I made assumptions that could hurt my business?” What you don’t know can hurt you, so consider whether you have fallen into any of these traps.
1. ‘My Business Is So Small, PCI Doesn’t Apply to Me.’
This is perhaps the most common misconception, with many small businesses assuming that PCI only applies to large companies, or e-commerce businesses. This is false! Every business that accepts credit cards must be PCI compliant, regardless of how many card transactions it runs every year.
Your small business may not have the same compliance verification requirements as a major corporation, but its still your responsibility to determine which PCI level your business falls into, meet the standards, and provide verification, or else face liability in the event of a breach.
2. ‘I’m Compliant Because I Use a Third-Party Processor.’
For many businesses, working with a third-party credit card processor or IT security vendor is an easy way to comply with PCI standards. However, doing so does not completely eliminate your responsibility to maintain PCI compliance. You still maintain the ultimate responsibility for protecting cardholder data and for confirming that your vendor follows all rules and regulations.
This is especially important if your website integrates PayPal via an API. While PayPal does meet PCI regulations, if payments are integrated with your site, your servers will capture cardholder data first before sending it on to PayPal’s servers — meaning that you have to have PCI compliant security measures in place on your servers as well.
3. ‘We Only Store a Small Amount of Data’
When you run a small business, and you work with the same customers all the time, it can be tempting to just store their payment information to make running transactions easier and faster for everyone.
However, PCI standards prohibit merchants from storing certain information, including unencrypted card numbers, CVV or CVV2 numbers, PINs, and Track 1 or Track 2 data. If there is a breach, and any of this information is found on your network, you could face consequences. Even if a customer grants you authorization to keep their payment details “on file,” PCI standards prohibit you from storing certain information, so avoid doing so.
4. ‘We Took Care of PCI a Few Years Ago. We’re Good.’
PCI compliance is not a one-time task. It requires continuous vigilance, and in some cases, updates and changes to comply with new or revised standards.
Just as the threat landscape changes all the time, so do the tactics for protecting against breaches, and it is your responsibility to keep your data safe in the face of those changes.
5. ‘PCI Costs Too Much.’
There are costs associated with maintaining compliance. However, these costs should be considered part of the cost of doing business — and are usually rolled into the overall security budget. Even small businesses need to take security seriously and budget for protections, as the cost of not protecting payment data is even higher. Failing to comply with PCI standards not only leads to fines and liability in the event of a breach, but just falling short of the standards themselves can lead to higher processing fees and even a termination of your agreements with the major card issuers.
The bottom line? What you don’t know or assume about PCI standards can hurt you. If your business accepts credit cards, learn the requirements, and take steps to adhere to them, and protect both your bottom line and your customers.