PCI Compliance continues to raise questions for a large number of merchants across the U.S., especially smaller, independent merchants. Am I required to be in compliance with PCI DSS? How do I go about getting compliant or demonstrating that I am compliant? Is there a resource to help me achieve compliance? Who overseas compliance and what are the penalties for non-compliance?
Last fall we partnered with ControlScan, the industry’s leading provider of PCI compliance and security solutions for small merchants and the businesses that serve them, on a merchant survey and we were astonished to learn that nearly half of those surveyed were not clear on the specifics around PCI DSS and more than three-quarters (79 percent) felt that their company was at little or no risk for data compromise. Scary statistics seeing that PCI DSS compliance is required and data breaches can occur regardless of the size of your business.
Whether you are a tier 1 retailer or a small merchant selling exclusively on the Internet, compliance with the PCI Data Security Standard (PCI DSS) is required and mandated by MasterCard and Visa if you are accepting credit and/or debit cards. And, while the size of your business will determine your specific compliance requirements, every merchant accepting credit or debit cards, online or offline, must be compliant with the PCI DSS standards.
One excellent resource for merchant as well as hardware and software developers, industry professionals and financial institutions is the PCI Security Standards Council, an open global forum, launched in 2006, that’s responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS). But, it’s important to remember that the Council is not the governing body for PCI, and that the enforcement of merchant compliance and penalty assessment for non-compliance is managed by the individual payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.).
Another valuable resource is your payment processing partner. As a trusted partner we understand our role in providing merchants with the tools and resources they need to achieve compliance and even more importantly, protect your customers’ sensitive data. In addition to serving as a resource for our merchant customers, we also deliver a Compliance Services Package (CSP) as part of our standard merchant service offerings. Unlike some other processing partners who simply assess a monthly, quarterly or annual PCI compliance fee and don’t provide corresponding value, we have designed our CSP specifically to assist merchants with becoming compliant and we are the only processor that offers a refund on any fines assessed in the event a breach. We partner directly with ControlScan to deliver personalized guidance and support for our merchant customers, leveraging ControlScan’s expertise and professional support to guide our merchants through each step of completing the self-assessment questionnaire. And, should a breach or chargeback occur, we offer refunds to help offset merchant expenses.
Data breaches are not exclusive to the largest of the large. Anyone can be compromised and by taking the necessary precautions and achieving PCI DSS compliance, merchants can significantly reduce their risk.