Technology is always advancing and so are the requirements your business must follow. One area in which you need to comply is with credit or debit cards transactions. Even through the pandemic, compliance is something that needs to be maintained so businesses don’t get shut down.
The regulation pertaining to credit and debit card transactions is called the Payment Card Industry Data Security Standards, or PCI DSS. Being in good standing with the regulatory guidelines is referred to as PCI compliance. PCI DSS establishes security standards for organizations that accept credit and debit cards or have access to cardholder information.
PCI DDS mandates that your business agrees to take certain precautions with cardholder data. These precautions may include installing software that protects payment systems as well as generally strengthening security measures around your business.
Why does your business need to comply with PCI DSS?
Credit and debit card data is extremely sensitive by nature. When this information gets mishandled and falls into the wrong hands, it can cause extreme financial distress for victims. Aside from obvious ethical obligations to protect their customers, organizations also face steep penalties for failing to comply (see below).
Many people are working from home and using remote technologies to stay connected and get work done. When employees work from home, they often lose many of the security tools and protocols they had in the office. For any company accepting payments in the form of Visa, Mastercard, American Express, or Discover—especially those engaged in e-commerce—this means additional danger. With all that data floating around, the last thing you want is a lack of adequate security.
There are four levels of PCI compliance depending on the amount of transactions your business handles:
- Level 1 applies to merchants who have over 6 million transactions annually or who have experienced any sort of data breach in the past. The requirements for these companies include forms to be filled out, onsite assessments to conduct, and even the need to obtain a High Assurance SSL certificate. Along with all these requirements, there is an annual $50,000 fee.
- Level 2 applies to any merchant with transactions totaling between 1 and 6 million a year. These companies are required to fill out self-assessment questionnaires on PCI DSS, have a passing network scan, and complete a proof of a compliance form. These companies also have an annual fee of $10,000.
- Level 3 applies to merchants with e-commerce transactions from 20,000 to 1 million a year. These requirements are the same as mentioned in level 2, but the fees for these merchants are only $1,200 annually.
- Level 4 applies to merchants with e-commerce transactions fewer than 20,000 and merchants with in-person transactions up to 1 million processed every year. Their requirements include expenses incurred from compliance attestation, network scans, and annual compliance reports with $60-$75 in fees per month.
What are the consequences of PCI noncompliance?
Failure to comply means the PCI Security Standards Council will impose fines on your company. The council is comprised of major payment card brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Noncompliance can also result in forensic investigations and audits on your business. Over time, noncompliance can result in loss of customers which reduces sales and can lead to business failure.
While you may incur some fees for complying with PCI DSS, one study shows that the cost of noncompliance is two times the cost of compliance. The average compliant costs are around $5.47 million compared to noncompliant costs of around $14.82 million.
Failure to comply can also result in data breaches that may force credit brands to attach monthly fines to your business. This just increases your monthly bill when all of this noncompliance could have been avoided. Data breaches are usually the result of not having secure protocols in place and not following the rules.
Even though it may seem confusing and time-consuming to comply with PCI DDS, it is better to understand it and adhere to it sooner rather than later. Compliance will always be a duty your business is obligated to maintain. You don’t have an option to not comply. You do, however, have the option to not waste resources or risk your customers’ data, so it’s really an easy choice. And it’s made even easier still with the help of a managed service provider, or MSP. An MSP can help you stay on the right track—not just with PCI compliance, but with other forms of compliance, as well. Here are more tips on how an MSP can help you!