Does Your Business Need to Be PCI Compliant?

You have a successful business, customers are buying your products or services and everything seems to be in order. But is it?

Many small-to-medium businesses are unaware of the importance of PCI compliancy and the possible consequences from not adhering to the security protocols that PCI outlines to merchants, nor are businesses often sure if any of it applies to them. If you accept credit and/or credit card payments in your online business, the answer is yes, it does.

PCI compliance applies to all entities or individuals who charge non-cash payment for any type of goods or service through one of these third-party financial service providers: Visa, MasterCard, American Express, Discover or JCB. Even accepting PayPal payments requires you to be PCI compliant.

Although PayPal – or any other third-party service provider – is ultimately storing, processing and transmitting the cardholder data, as a merchant your business is the one accepting that information. Therefore, it is your responsibility to ensure that your online environment has the ability to protect the security of the payment process.

In response to the ever-increasing threat of fraud and identity theft in today’s world of eCommerce, credit card companies got together back in 2004 to compile a set of payment security regulations aimed to pass on more of the responsibility for protecting client data to merchants. These regulations are today called the Payment Card Industry Data Security Standard (PCI DSS) and are overseen by an independent Council.

The idea of the regulations is to enhance credit and debit card security creating an additional level of protection for card issuers by ensuring that merchants who use their services meet minimum levels of security when they store, process and transmit cardholder data.

PCI is not, in itself, a law. It’s a standard that was created by the major card brands. In the United States, for example, compliance is not required under federal law, but some state-level laws, like those in Nevada, refer to PCI.

Although, if found to be out of compliance with PCI standards, businesses may be subject to fines by the entity they use to process their card transactions.

Furthermore, if your payment system is breached and your customers’ data is stolen, any losses incurred by banks and financial service providers may be passed on to you, such as being charged for card replacement costs, or sued for brand damage.

It is always important to remember that PCI compliance does not guarantee payment security. The PCI Security Standards Council say themselves that their regulations are just the minimum requirements for protecting a business and its customers. There is always room for more steps and security measures to be implemented. Ultimately, PCI compliance is the world’s only regulated and comprehensive means to protect your business from non-cash payment fraud, ensuring a healthy working relationship with financial service providers and maintaining essential consumer trust.