What does PCI compliance mean for your small business? PCI DSS compliance can often seem like a mountain to climb for small businesses, but that needn’t be the case. With the right knowledge and the right partners, it can be understood (and achieved) without much trouble at all.
What is the PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is an international security standard which was set up by the biggest names in the payment card industry (Visa, MasterCard, Discover, American Express and JCB) to help businesses process card payments safely and securely, helping them to avoid credit card fraud.
The standard enforces strict guidelines regarding the processing, storage and transmission of private cardholder data.
Who needs to be PCI DSS compliant?
All companies that take credit card payments. If you accept, store, transmit or process cardholder data then PCI DSS applies to you. It doesn’t matter how large or small your business may be, you are obliged to comply with the standard.
What is PCI DSS compliance?
PCI DSS sets out 12 requirements that merchants need to meet if they are to comply, as follows:
Build and maintain a secure network
• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
• Use and regularly update anti-virus software or program
• Develop and maintain secure systems and applications
Implement strong access control measures
• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
Regularly monitor and test networks
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
Maintain and information security policy
• Maintain a policy that addresses information security for all personnel
These general requirements apply to every business/merchant, whether they be large or small, and irrespective of the volume of transactions that they handle.
Merchants who handle greater numbers of transactions will be required to undergo greater levels of scrutiny in order to be considered compliant, however.
What are the consquences if I don’t comply?
You may be fined for non-compliance by your acquiring bank, who ultimately may prevent you from taking card payments. In the event of a data breach, your business will be investigated, to see whether you were compliant and if so, to what extent. Once your level of compliance has been ascertained, penalties will be imposed by the credit card companies.
Penalties for non-compliance are manifold. You may face fines ranging from £3,000 to £60,000, litigation, damage to your company’s reputation and loss of business, and you may even find your company’s ability to take card payments revoked.
Put simply, it isn’t worth the risk to your business and your clients’ privacy to be slack about PCI DSS.