What is PCI Compliance and why does it matter?
If you are an e-commerce or brick-and-mortar merchant, you’ve probably heard the term “PCI-DSS Compliance” – commonly shortened to PCI Compliance – at least a few times. But while many businesses talk about this concept, few actually understand what it is and what it means for their payment processing. eMerchant knows the importance of PCI Compliance and is here to help your business meet this credit card industry standard.
A Brief History of PCI-DSS Compliance
Prior to 2006, every credit card company had their own data security standards for payment processing, and these standards could fluctuate wildly. Recognizing the need for a common industry standard, the five major brands – Visa, MasterCard, American Express, Discover and JCB – created the Payment Card Industry Security Standards Council (PCI-SSC). This council subsequently developed the Payment Card Industry Data Security Standard (PCI-DSS) that was officially implemented on August 7, 2006. This standard is not a federal law, but its requirements have been enforced by these credit card companies to this day, and any merchant who fails to comply risks have their credit card processing ability revoked.
PCI Compliance Basics
Any merchant or organization that transmits, processes, stores or otherwise accepts credit card and debit card information – whether they accept this info online, in person or over the phone – must follow PCI security standards. All cardholder data must be hosted and protected following a set of 12 security requirements. Data that this applies to includes the full Primary Account Number, cardholder name, expiration date, service code and all Sensitive Authentication Data. Note that while using a third-party payment processer can reduce a company’s risk exposure, it does not exempt them from PCI requirements.
Levels of PCI Compliance
There are four PCI Compliance levels, which are based on how many credit card transactions are processed within a 12-month span. For e-commerce merchants, these levels range from Level 4 (<20,000 annual transactions) up to Level 1 (<6 million annual transactions). Compliance standards vary within each level as do the cost – Level 4 companies may pay as little as $700 a year to remain PCI compliant, while Level 1 companies could end up spending more than $50,000 a year. Each level requires quarterly network scans by approved vendors, an annual Attestation on Compliance and either a self-assessment or a report by a qualified assessor.
Non-Compliance Penalties and Other Consequences
At any level, the penalties for failing to comply with PCI-DSS standards can be severe. Each credit card brand and bank has their own fine schedules, but for Level 1 merchants, fines can start at up to $10,000 per month and increase if a business remains non-compliant. Payment processors often charge their own monthly non-compliance fees or increase transaction fees for not meeting the standards. Breaches in cardholder data can mean additional fines, and in extreme cases, temporary or permanent suspension of the ability to accept credit cards. This comes on top of damaging reputation and trust with customers and suppliers.
As the merchant who decides to accept credit and debit card payments, it is ultimately your responsibility to become PCI compliant. But for many smaller businesses, it can be relatively simple to implement the requirements. If you choose eMerchant as your credit card payment processor, we will help you stay on top of payment information security and remain a successful merchant.