What Your Business Should Know About PCI Compliance
For a lot of businesses, the last thing they want to think about, but the first thing they should be focusing on is compliance. Compliance comes in many different forms, and one specific area is PCI compliance.
PCI compliance is the Payment Card Industry Data Security Standard, and it’s also sometimes written as PCI DSS. This applies to businesses of any size if they take card payments, as well as storing and processing the data of cardholders as a result.
So what should businesses know more specifically?
The Costs of Non-Compliance
The goal of PCI compliance is to protect credit card vendors, banks and even more than that, consumers, from data theft and fraud. PCI compliance is something that has to be in place for any business that accepts credit card transactions. If a merchant is non-compliant, they can end up paying penalties of $1,000 to $100,000 per month according to Reciprocity, a compliance solutions provider.
Even beyond that, non-compliance can also lead to the revocation of credit card privileges altogether.
What Constitutes PCI Compliance?
PCI compliance can be overwhelming, and it can seem complex, particularly for businesses that are new to it.
There are 12 requirements, and there are also sub-requirements that lead to a total of 281 objectives that have to be adhered to.
Along with there being a lot to PCI compliance, it’s something that’s often updated. New versions come out all the time, and it’s up to businesses to stay up-to-date.
You’re Responsible for Vendor Compliance
The responsibility of compliance falls onto your shoulders. You’re also responsible for ensuring your vendors are responsible. For example, if you use a third-party card processing system, then you need to make sure they’re meeting PCI compliance standards. If you have software that you’re using and it’s not compliant, you can still be responsible for penalties.
Differing Levels of Security
Within the larger concept of PCI security, there are different levels of security required, that are based on how much you’re running in card transactions annually.
Level 1 is the highest level of security required, and it’s for merchants processing more than $6 million in transactions every year. There are certain internal audits and reports these companies must go through. Level 2 merchants process $1 million to $6 million each year. Level 3 merchants process between $20,000 and $1 million each year, and level 4 merchants process less than $20,000.
The reason there are different levels is that if your company is potentially providing access to more cards and data, you’re going to be more of a target for hackers and cybercriminals.
Finally, with PCI DSS compliance, businesses can never view it as something that they set up and then they’re done with. First, there’s the fact that regulations are constantly changing. Beyond that, cybercriminals are always changing their strategies and tactics as well. As cyber crimes become more advanced and sophisticated, businesses have to be more vigilant than ever about protecting financial data.