The Payment Card Industry Data Security Standards (or PCI DSS) apply to every merchant who accepts payment cards. Unfortunately, in my experience, most retailers either have no clue, think it’s not their responsibility, only their providers need to comply. If you don’t have even the most basic understanding of what PCI is, or how it’s enforced you are in a serious disadvantage when it comes time to make decisions around PCI compliance. Lakewood, being a township
with a very large UEZ, attracts many new businesses to open here. Here are the basics to understand PCI/DSS.
The Four Import Points
1) PCI is a set of industry rules – they are not laws.
PCI is NOT a government regulation, like HIPAA. PCI is a creation of the payment card brands, VISA, MasterCard Discover and American Express. Compliance is mandatory for merchants who wish to process, transmit, and store payment card data. But PCI is not a law.
PCI rules help prevent payment card fraud for which the card brands were ultimately responsible. An independent entity – the PCI Security Standards Council – was established to create the rules and educate merchants and their providers.
The PCI Security Standards Council does not penalize merchants directly. The banks have that authority according to the rules.
2) Non-compliant merchants are penalized by their acquiring banks.
If a merchant has a security breach and is found to be non-compliant with PCI rules, they could be subject to fines. Depending on the circumstances, merchants could pay anywhere from $5,000 to $100,000 every month until they address all compliance issues. If they don’t resolve the problem (usually within 90 days), they could have their ability to accept any all credit cards revoked.
The credit card companies (all the ones the merchant accepts) penalize the merchant’s acquiring bank – and the bank passes the loss to the non-compliant merchant.
The acquiring banks bear are responsible for the merchants’ security efforts. Each bank is different in their level of flexibility or severity of their PCI enforcement policies. Merchants absolutely need to know the cards acquiring bank’s policies.
3) The banks determine how a merchant must show compliance.
Because the banks are responsible for enforcing PCI compliance, they decide how they verify a merchant’s compliance and what the penalties are. Again, you need to be familiar with the bank’s PCI policies.
Merchants can show compliance by working through a self-reporting checklist on their own, or they may be required to undergo a full audit by a certified third-party security expert known as a Qualified Security Assessor. The type of compliance demonstration is determined entirely by the relevant acquiring bank.
Self-reporting may seem cheaper and easier but it almost always leaves room for errors. Misinterpretation of the rules and requirements are all too common. Audits usually take more detailed and tedious work and are costlier, but they give a merchant (and more, importantly, their bank) more certainty that the merchant complies. discuss the topic with their acquiring bank to see what is acceptable.
4) PCI compliance rules can be a useful resource.
No doubt, the rules and requirements of PCI are complex and onerous The PCI obligations mean spending more time and money. Network security is increasingly complex as each day passes with new threats and vulnerabilities constantly emerging. Keeping up to date to protect an organization and its customers can a full-time job. Nevertheless, security is increasingly essential for merchants, whatever it takes. Breaches can mean major financial, legal, and reputational damages.
Having said all that, PCI rules are really a valuable resource for business owners. They allow merchants to keep their security measures current – and allow their customers do business with confidence. There is a set of PCI Security Standards Council’s for small and medium-sized businesses. Merchants can learn more about their particular compliance requirements as well as recommended security strategies suited to their businesses. New business owners are especially encouraged to learn all they can about PCI, and use the resources available to protect themselves, their customers and their businesses.
You can learn more about small business compliance here: https://www.pcisecuritystandards.org/pci_security/small_merchant
See the accompanying chart for a graphical breakdown of the requirements and how to meet them.