PCI DSS compliance is not optional and if you aren’t compliant, the consequences could be huge
When it comes to the industry compromising the processors who handle credit and debit card purchases for businesses, it’s not hard for the small business owner to get a little lost amid the alphabet soup.
That fact notwithstanding, PCI DSS compliance is something that all small business operators should know about. PCI stands for “payment card industry” and DSS is for “data security standards.” The compliance has to do with storing and security of customers’ sensitive card information.
In addition to the card numbers, that information also includes the expiration date and CVV or card verification value (the three numbers on the back of Visa and MasterCard cards and the four numbers on the front of an American Express card).
PCI compliance is not optional and it is not taken care of by a processor. A processor is responsible for the data it stores, but a merchant is responsible for the data it keeps. If a business suffers a security breach, it can have serious consequences. (Enforcement of compliance is managed by the individual card brands.)
Here’s how you can stay protected and what you should know about PCI-DSS.
1. Cardholder data puts you at risk.
“Credit card companies and acquiring banks can impose heavy fines and remove your ability to process cards if you suffer a data breach,” said Kathleen Ervin, vice president of relationship management for TransFirst in a Webinar that she performed for the NFIB.
Bob Russo, general manager of the PCI Security Standards Council, says the best step a small business owner can take is not to store any cardholder data. “Cybercrime is a very real problem that can create huge costs for organizations and individuals alike, and cardholder data is the most attractive target for criminals because it’s easy to convert into cash,” he says. “Breaches cost money. And not just loss of sales, relationships and standing in your community, or a depressed shared price if yours is a public company, but just one incident can severely damage your reputation and your ability to conduct business effectively—and far into the future. Compromised data doesn’t just affect you and your customers, but also consumers, merchants, and financial institutions across the board.”
2. Size of business determines level of security.
According to the website of the PCI Security Standards Council, which was formed in 2006 by the five global payment brands, American Express, Discover, JCB, MasterCard and Visa, the number of transactions a business processes will determine the level of security it must have:
- Level I—a business with six million or more transactions annually (or a business that has suffered a breach)
- Level II—one to six million transactions
- Level III--20,000 to one million transactions
- Level IV—fewer than 20,000 transactions
3. Assess processes, fix problems, and then report.
The Data Security Standards Council recommends that merchants first conduct a self-assessment. That means conducting an inventory of your information technology and business processes for payment card processing and to examine them for vulnerabilities that could expose customers’ information. The second step is to remediate: Fix those potential problems and make sure not store such data unless absolutely necessary.
The last step is to report. “Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with,” the website says.
4. Processors can provide valuable expertise.
Payments processors like TransFirst and Merchants’ Choice Payments Solutions also can be resources. MCPS provides merchants with indemnity coverage up to $50,000 through its PCI Protection Plan.
“The best way for small businesses to protect their payment data is to follow the security principles outlined in the PCI Data Security Standards,” Russo says. “These include simple measures like regularly changing the passwords on the applications and devices you use to accept and process credit card payments, regularly inspecting your point-of-sale equipment, and asking the right questions of your technology vendors and business partners to make sure they’re doing things securely, too.”