To what extent does your company know about PCI compliance?
All companies that process and store credit card information must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), often referred to as PCI compliance.
Whether you are processing credit card transactions from PDQ terminals or maintaining PCI compliance with over the phone transactions, there are bound to be some questions. Here is a helpful guide to the 7 most commonly asked questions on PCI compliance, complete with the answers to navigate you through the PCI minefield.
To whom does the PCI DSS apply?
Any company or organisation that accepts card payments, or transmits or stores cardholder data, must comply with the PCI DSS regulations.
I only take card payments over the phone, does the PCI DSS apply to my business?
Absolutely. Any businesses that accept card payments must be PCI DSS compliant, without exception.
What level of compliance do I fall into?
There are four bands that merchants can fall into. The band assigned to each merchant depends on the transaction volume, and each band comes with its own level of PCI compliance.
Level 4 applies to small businesses which process fewer than 20,000 eCommerce transactions and 1 million other transactions each year. Level 3 includes mid-sized businesses that process between 20,000 and 1 million eCommerce transactions annually. Level 2 applies to companies that process between 1 and 6 million transactions annually, and Level 1 applies to large businesses that process more than 6 million transactions each year.
What do I have to do for each level?
Level 4 businesses have to complete an annual risk assessment. The PCI self-assessment questionnaire (SAQ) is a simple yes or no questionnaire that will assess your current level of security for protecting cardholder’s data. You may also be asked to carry out quarterly PCI scans if you store cardholder information electronically. These must be carried out by an approved vendor.
Level 3 and level 2 businesses have to complete the same measures as level 4 businesses. But there is more chance of you being asked to carry out quarterly PCI scans if your business processes a larger volume of transactions.
Large businesses which fall into the level 1 category have to complete quarterly PCI scans and agree to an annual internal audit carried out by an independent PCI auditor.
How much will this cost my business?
Depending on your required level of compliance, the costs will vary. Small level 4 businesses could have their electronic network scanned by a professional vendor for as little as $60 a month.
For larger, level 3 businesses it will likely cost more. You likely have a larger network with more IP addresses. It could cost around $1,200 annually, but if your business is on the larger end of the level 3 range the costs could be higher.
Level 2 businesses should expect to pay between $10,000 and $15,000 a year for regular scans from approved vendors, while level 1 businesses will have to pay upwards of $50,000 a year.
My business has multiple locations, do each of these need to be PCI compliant?
It depends. If all your locations have the same tax ID, then you usually are only required to validate PCI compliance once a year for all of your firm’s locations.
However, if you are required to have network scans, you will need to have each location scanned by a PSI SSC approved vendor.
What are the penalties for not becoming PCI compliant?
Depending on the severity of the non-compliance, your business could face anything from card replacement costs in the event of a security breach, to losing your merchant account and being banned from accepting card payments for several years.
Issuing banks and credit card processors can also be fined for non-compliance, many of which will pass the fine onto the individual merchant in the form of inflated transaction fees.
Aside from the official penalties, your business will be tarnished with a negative reputation for card security. Clients and customers will lose faith in your ability to protect them against fraud and this will harm your business. In such case, you will need to go the extra mile to see how you can restore customer’s loyalty.
Make yourself aware of what your business needs to do to become PCI compliant. Failure to do so could cause lasting damage to your business.