PCI compliance is a set of requirements set forth by the Payment Card Industry Security Standards Council to ensure that eCommerce merchants and service providers protect customer data during credit card processing.
The PCI Data Security Standard (DSS) governs all processes involved in transmitting, receiving, storing or using credit card information from any merchant with an annual payment volume of more than $6 million.
The PCI Security Council is made up of the five major credit card brands: Visa, Mastercard, American Express, Discover and JCB.
Why is PCI Compliance Important?
PCI compliance is important because it protects customers from potential data breaches that could occur if credit card information was improperly handled.
In recent years, many businesses have fallen victim to hackers who gained access to their information systems and made off with millions of credit card numbers. Retailers such as TJ Maxx, Heartland Payment Systems and Global Payments all reported major data breaches in 2007 that affected hundreds of thousands of customers. Similar instances occurred again in 2008 when CardSystems and RBS WorldPay experienced breaches that affected millions of customers in one fell swoop. Even InterContinental Hotels Group, the world’s largest hotel chain, was not immune when hackers gained access to its credit card processing systems and wire transferred $900,000 from customer accounts.
While there is no such thing as foolproof data security, complying with the PCI Security Standards goes a long way in protecting customers from becoming victims of identity theft and fraud.
What are the PCI Security Standards?
The PCI Security Standards are a comprehensive set of requirements designed to protect customer data during credit card processing. The standards include:
- Establishing a comprehensive security program
- Protecting cardholder data
- Regular monitoring of systems and networks
- Testing security systems and processes
- Maintaining a vulnerability management program
- Responding to security incidents
What are the Penalties for Non-Compliance?
Businesses that do not comply with the PCI Security Standards can face significant penalties, including fines, suspension of service and even imprisonment.
The PCI Security Standards Council has the authority to levy heavy fines against businesses that are found to be non-compliant. For example, in 2009, the council fined Heartland Payment Systems $100 million for its role in a data breach that affected millions of customers.
In addition, credit card companies such as Visa and Mastercard can suspend or terminate the merchant accounts of businesses that are not PCI compliant. And in some cases, law enforcement officials may pursue criminal charges against individuals responsible for data breaches.
How Can I Become PCI Compliant?
Businesses that want to become PCI compliant can use one of four validation assessments offered by the PCI Security Standards Council:
- Self-Assessment Questionnaire (SAQ)
- SAQ A-EP
- SAQ B-IP, or Merchants processing less than 20,000 Visa eCommerce transactions per year or up to 1 million Visa transactions per year if they have outsourced their payment processing
- SAQ C-VT, or Service Providers that process credit card data but do not store, process or transmit cardholder data
PCI compliance is a must for any business that processes credit cards. By complying with the PCI Security Standards, businesses can protect their customers from potential data breaches and help deliver a positive customer experience.