Understanding PCI Compliance
It’s a nightmare scenario for customers and manufacturers alike: a data breach exposing sensitive information to tech-savvy thieves. As Sears and Delta recently learned, the impact can be much worse if credit card data leaks. And despite IT teams’ best efforts, the question of another massive data breach is “when” rather than “if.”
Back in 2004, transaction processers saw this threat on the horizon. In response, a panel of representatives from major credit card companies designed the Payment Card Industry Data Security Standard (PCI DSS). Many PCI compliance regulations are common sense — for example, ensuring all sensitive data is protected by a firewall and watching for illegal devices such as card skimmers. The PCI DSS continues to regularly update PCI compliance standards.
As data breach threats grow, more companies are taking PCI DSS seriously; compliance grew 44 percent between 2012 and 2017. However, Verizon found more than 40 percent of merchants still fail to meet PCI compliance — and new regulations mean even when they do achieve compliance, they may quickly lose it. I continue to hear from customers who struggle with the scope of their PCI compliance projects.
What’s keeping companies from maintaining these crucial security standards? Consider the two most common mistakes companies make when seeking PCI compliance — and the best way to ease your PCI DSS concerns.
Mistake #1: Underestimating PCI compliance reach
Traditionally, PCI compliance conjures the image of a major retailer dealing with thousands of credit card transactions per day. While it is true that the strictest regulations are reserved for companies completing more than six million credit card transactions a year, there are four levels of compliance regulation — and even manufacturers and distributors, not just retailers, are subject to the PCI DSS if they process credit card payments.
Perhaps the most common misconception about PCI compliance revolves around third-party credit card processing. For smaller organizations, outsourcing credit card processing is attractive — it’s one less expensive and complicated process to worry about. However, you are still responsible for your customers’ transactions. To remain PCI compliant, you’ll need to 1) ensure your processor is PCI compliant at the time of hire and 2) reconfirm your processor’s compliance each year. Otherwise, you could be on the hook for a data breach beyond your control.
The bottom line: any processing, storing or transmitting of credit card data — online or offline — requires you to be PCI compliant.
Mistake #2: Relying on your IT team to manage the entire process