With the profound technology changes, credit cards have become a standard mode of payment, especially for large sums of money. However, issues such as cyber crime have called for the need to protect the authentication data in the magnetic stripe of the cards during business transactions.
What is PCI compliance?
Payment Card Industry Data Security Standards (PCI DSS), also known as PCI compliance, refers to the requirements your business needs to uphold to ensure the credit card data your business processes, transmits, or stores is secured. PCI compliance aims at protecting delicate information of the cardholder that may fall into the hands of criminals such as PINs, and information in the magnetic stripe like CID, CAV2, or CCV2. PCI compliance also applies to the use of credit cards over the phone since the transaction also puts the authentication data of the customer at risk of a breach.
Your business should have PCI compliance if you accept payments in the form of Visa, MasterCard, JCB, American Express, and Discover. Having PCI compliance means that your business agrees to observe specific PCI requirements to ensure cardholder data is protected. Since upholding PCI requirements by 100% is difficult, some companies use PCI compliance consultants that make sure the company is compliant.
Why need PCI compliance?
Your business needs PCI compliance because sensitive data is always at risk of falling into the wrong hands. Some ways data may leak into the wrong hands is through remote access into your business’ internet, card readers, hidden cameras, or an insecure payment system. Some companies may also have stored files containing authentication data.
Your business will be required to sign a binding contract with the bank each year and put across measures to ensure your customer’s authentication data is protected. Some of the efforts include software installation, especially in payment systems, and strengthening security measures around your business.
Levels of PCI compliance.
PCI compliance has four levels, each with different requirements determined by your business’ transaction amounts.
The level 1 compliance level applies to merchants with transactions amounting to more than 6 million annually. It is also applicable to any merchant that has experienced a data breach at any point in time.
Some of the requirements needed for a business with a level 1 PCI compliance include having an annual onsite assessment conducted by a Qualified Security Assessor (QSA), a form proofing compliance, and a network scan is done four times a year by the Approved Scan Vendor (ASV). Having a Secure Socket Layer (SSL) certificate does not mean that your business’ network is protected. Only High Assurance SSL certificates can make your business PCI compliant.
The level 2 PCI compliance applies to any merchant conducting transactions ranging from one million to six million each year.
You will need to fill a self-assessment questionnaire on PCI DSS using the instructions in the questionnaire. You also need a network scan by an Approved Scan Vendor and provide evidence of passing the scan. Furthermore, you need to complete the proof of compliance form in the SAQ tool before handing the scan evidence, questionnaire, and compliance form to your acquirer.
Level 3 PCI compliance applies to a merchant handling e-commerce transactions of 20,000 to one million every year.
The requirements for level 3 PCI compliance are similar to those of level 2 and level 4.
Level 4 PCI compliance applies to merchants handling e-commerce transactions lower than 20,000 and any merchant with up to one million processed transactions every year.
Your business will incur costs for PCI compliance. The costs are different depending on the level of compliance of your business. The expenses incurred cover compliance attestation, network scans, and annual compliance reports.
Level 1 merchants incur the highest costs of at least $50,000 every year. Level 2 merchants incur an annual fee of $10,000 and above, while level 3 incur a fee of $1,200 every year. Level 4 merchants incur monthly costs ranging from $60 to $75.
What are the consequences of PCI noncompliance?
Statistics show that about 30% of small ventures are unaware of the consequences of noncompliance.
Failure to comply with PCI requirements can cause a data breach that will force credit brands to impose monthly fines on your business’ acquirer. The fines can range from $5,000 to $100,000 depending on the level of compliance of your business. Other consequences include forensic investigations and audits on your business, that are costly, and settlement fees. Noncompliance also results in loss of customers, which in turn leads to reduced sales that can make your business fail.