Most of our clients that process credit cards have asked at one time or another about PCI compliance, technically referred to as PCI DSS (the Payment Card Industry Data Security Standard). It’s a very large topic, so we thought we’d compress into a blog entry most of what you really need to know.
What is it? PCI DSS is a set of requirements introduced in 2006 (and upgraded regularly since) to ensure that all companies that process or store credit card information maintain a ‘secure’ environment. Credit card data theft is BIG business, and DSS is aimed at reducing it.
Who is affected? Basically, anyone who processes credit cards. Processors are separated into tiers, the largest being Tier 4, or those who process under 20,000 e-commerce transactions per year, or up to 1,000,000 overall (Visa) transactions.
Do I have to participate? Tricky question. Technically, no. It’s really only a problem when it actually becomes… a problem. Then, merchants who have not done a proper assessment and demonstrated proper compliance can be held liable by the large credit card companies for huge fines if it is found that data theft or hacking occurred as a result of their negligence. The fines run about $5,000 to $20,000.
What does a small business have to do? Some homework. After identifying your “Validation Type” you’ll probably complete a self-assessment questionnaire. You’ll need to pass a “vulnerability scan” with an “Approved Scanning Vendor.” Then, you’ll complete and submit an “Attestation of Compliance.” And of course, you’ll have to fill out any other paperwork required by your card vendor. Even companies using third-party processors are supposed to be compliant.
What if I just ‘wait’? That’s up to you, and so is the onus. If nothing goes wrong, consider yourself lucky. If you seek compliance, consider it another required task for the privilege of being in business.
Where can I get more info? You can search on terms like ‘PCI Compliance’ or ‘Is PCI Compliance Mandatory’ to quickly find sources of deeper information. A good, quick FAQ posting from the official PCI Compliance Guide folks can be found here.
Most accounting software publishers today offer linkups to PCI compliant credit card transaction capabilities. The key is not to store you customers’ credit card numbers anywhere at your location. The big-name providers do all this while offering secure transaction processing. Check with your credit card provider first. Most will make it relatively easy for you to make the switch, though expect some transaction costs. It’s one more compliance requirement for doing business in the 21st century, and one more source of costs to the small business person. But the alternatives can be far worse.