PCI compliance: Do you know where you stand?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of measures designed to protect customer information involved in card transactions.

It applies to all companies that encounter any kind of credit card information. That is, any company that accepts, processes, stores, or transfers information retained by a credit card.
As expected with such sensitive information, security must be seriously considered.

Seriously considered, and continuously maintained.

PCI DSS provides the starting point in such security measures. Designed to cover the basics in protection, the measures are specifically focussed on the cardholder. It is imperative that your company is aware of what these measures entail, to keep both you and your customers safe.

What are the standards?

Visa has produced a table of four levels that merchants can categorise themselves into. The levels are determined by the amount of Visa transactions processed in a 12-month period, and affect the measures that the businesses need to take.

For example, if your company processes over 6million Visa transactions in a year, it will be placed in the Level 1 of security requirements to protect the system. A small or medium sized business is more likely to be placed in Level 4, defined by processing fewer than 20,000 e-commerce transactions per year, and all other merchants processing up to 1 million transactions per year.

Note: Each credit card merchant (e.g. Visa, Mastercard, Discover, American Express) has its own criteria for level categorisation, so double check where your business lands.
What does Level 4 require?

  1. That you complete the relevant self-assessment questionnaire (SAQ)
  2. Some merchants will require evidence that you pass the vulnerability scan. If this includes yours, use the Approved Scanning Vendor (ASV) as pre-approved by the PCI council
  3. Complete the Attestation of compliance relevant to your business (as found in the SAQ)
  4. Submit all completed documentation and required evidence to your acquirer

The penalties for failing your PCI compliance validation can be severe, with not only fines but an entire termination of your card acceptance agreement. Not only that, but customer confidence will be diminished. The combination of the three makes it hard for any business to survive.

It’s a complicated process, and when stakes are high, there is even more pressure to get it right.

According to ControlScan, a provider of PCI, 48% of micro-merchants (defined as those with 10 or fewer employees) were either ‘unsure’ or ‘not-at-all familiar’ with the standards they needed to remain PCI compliant.

Others simply didn’t think that the consequences would be worth the hassle, perhaps thinking that their businesses were too small for PCI to matter to them.

This is not the case. Cybercrime threats are evolving at a disturbing rate, the most expensive case so far being Epsilon in 2011. Email hackers tapped into to their customers sensitive information, and cost the company $4 billion.

By outsourcing your IT needs, you place the responsibility of PCI compliance in one very capable pair of hands. Allow the experts to do the work for you, giving you total confidence that your business stays strong and protected.

For a more thorough guide on becoming PCI compliant, contact your acquirer bank.