If you were to ask the average business owner about PCI compliance, you would probably get several different answers. You may also get a response that’s not so happy or even frustrated.
In my 8 years as a payment processing pro, I have come across many merchants that find the whole process very annoying. The intention of PCI compliance is to make sure that businesses are protecting cardholder data. So what would be annoying about that?
The problem is that it can be confusing, and in most cases, no one is helping the business owner with the initial setup or annual survey. Before we go any further, let’s explain what PCI compliance really means.
PCI Compliance in Layman’s Terms
PCI Stands for Payment Card Industry. PCI compliance was first introduced in December of 2004. There have been with several updated versions added since to keep up with the changing technology.
The intention is to have a set of standards that businesses follow to prevent data breaches, and protect consumers from having their card number stolen. You can read the history and technical definitions here.
There are 4 different levels of compliance that depend on the number of transactions a merchant has annually. The average business owner will fall under level 3 or 4 which is under one million transactions per year.
In most cases, a business owner can complete an annual self-assessment questionnaire (SAQ) to attest that they are following the PCI compliance guidelines. The questions can be tricky, sometimes a merchant will get started and then quit the survey out of frustration. If a merchant is processing over the internet with a stand-alone machine, POS system or virtual terminal, a remote scan of their network may be required as well.
A few months ago, I was notified that one of our clients did not pass their recent remote scan. I had personally helped them set it up a few years ago and they always passed. When I brought it to their attention, they contacted their IT people. It turned out that one of the owners was logging in to the network to work from home.
While doing this, he unknowingly did something to make the network less secure and our remote scan discovered it. Now that is customer service!
If you are involved with eCommerce your merchant service provider may scan your website as well. I have found that the standards to pass are very high as the potential for problems is much greater. This is not something to take lightheartedly and if you have not had a security conversation with your website provider do it soon!
So what happens if a business does not complete their PCI compliance survey? Unfortunately, it’s all too common and merchants end up paying a non-compliance fee imposed by their processor. The fees range from $10.00 per month to $125.00 per month!! Their processor may also charge the business for data breach insurance each month.
Who Regulates This?
The PCI Security Standards Council is a self-regulating body made up of professionals in the industry. At this time, the government is not involved with PCI standards or regulation. Let’s hope that it stays this way.
So what can you do?
If you are not compliant or not sure, ask your local merchant service rep for help. (You are working with someone local, right? Hint hint.) Be sure to check your monthly processing statements as well to make sure that you are not paying a non-compliance fee. What?? You are not even looking at your statements?? We need to talk!
For the best rates, LOCAL support & service, and a PCI compliance guarantee, please consider us for your payment processing needs.