What Is PCI compliance?
The Payment Card Industry Data Security Standard might be a mouthful, but if you are a business owner, it is imperative you understand it. PCI DSS is a set of worldwide standards established to ensure all companies handle credit card data and manage payments in an ethical, legal and secure manner.
The information held on credit cards is extremely sensitive, but by meeting these standards - known as being PCI compliant - individuals and organisations can reduce the risk of that information falling into the wrong hands. When a business is PCI compliant, it makes the processing of card payments safer for all parties.
Let us take a closer a look at what being PCI compliant entails, and at what your business needs to do in order to adhere to and uphold the PCI DSS.
PCI compliance key terms
Before delving into PCI compliance, it is important to understand a few key terms surrounding credit card payments and the PCI DSS.
‘Cardholder data’ is pretty much what it says it is: data belonging to the person who owns the payment card in question. This data includes the cardholder’s name, the card security code (the three digits on the back of the card), the card’s start date and expiry date, and any account number and sort code associated with the card.
This information can be used to access the cardholder’s account, so it is imperative it is protected. If cardholder data is held by your business, it must be stored so in accordance with PCI DSS.
Another key term is‘merchants’;if you accept payment for products and services by means of cards, your business is defined as being a merchant. All merchants have a legal responsibility to be PCI compliant. All merchants handling Visa payments fall into one of four PCI categories known as ‘levels’. These are defined by Visa as:
Level 1: Merchants processing more than six million transactions in one year.
Level 2: Merchants processing one to six million transactions in one year.
Level 3: Merchants processing 20,000 to one million transactions in one year.
Level 4: Merchants processing less than 20,000 transactions in one year.
Smaller businesses tend to find themselves at level 3 or level 4.
‘Payment Gateway’ is a technology that links the merchant’s payment system to the bank via a dial-up or web-based connection. Payment gateways facilitate the transaction of cardholder data from the customer to the merchant to the bank.
Being PCI compliant
You can ensure your business remains PCI compliant by following these steps.
- Secure network systems
- Protect cardholder data
- Vulnerability scans
Firewalls, security software and effective password management will enable you to establish a secure network system for your business, which will contribute to its PCI compliance. Regularly test your security software, train your staff to use it correctly, and conduct regular checks to ensure it is up to date.
Encryption of cardholder data when completing transactions over a public network is vital, as protecting cardholder data is one of the key aspects of PCI compliance. Restrict internal access to any customer information, and do not transfer any such data unnecessarily.
In order your business to be PCI compliant, it must undergo regular checks known as vulnerability scans. These are sweeps of your payment system that analyse whether your business is vulnerable to the kind of threats that could put cardholder data at risk.
Vulnerability scans are non-intrusive, which means and no new software has to be installed for them to be conducted, and trading is not affected while they are conducted, as approved scanning vendors handle them.
What happens if your business is not PCI compliant?
If you do not take the time to understand PCI DSS, and subsequently fail to make your business PCI compliant, you could face a number of financial and legal, not to mention ethical, difficulties.
When PCI compliance measures are not met, your customers’ personal data is at risk, which may allow criminals to seize it and use it for fraudulent purposes. Thieves pounce when they spot weak links in the payment chain of merchants who are failing to comply with PCI protocols, stealing data that can be used to take money from customers and use their identity to commit fraud.
If your business is suspected of poor PCI compliance management, it may be placed under investigation. You will be liable for the cost of the investigation, which often stretches into four figures - and beyond.
And if your business is found to be non-PCI compliant it will be subject to fines, and its reputation is likely to be severely damaged. Merchants can be blacklisted if they have previously been found to be unreliable when it comes to PCI DSS, which can lead to difficulties when dealing with with banks and credit card companies. If they are unwilling to work with you, your company will not be able to take card payments, which could prove disastrous in a world that’s increasingly cashless.
Keeping your business PCI complaint requires close attention and careful management. If you run a small business, it is vital you value PCI DSS as highly as revenue, marketing and recruitment. Learn as much as you can about PCI compliance to ensure you are keeping your customers’ card data safe. A good merchant is a trusted merchant, and by remaining PCI compliant you will maintain your reputation with both your customers and your partners.