Many merchants are confused about what the Payment Card Industry (PCI) compliance is. Some also find themselves confused on whether PCI compliance applies to them. The simplest of answers is, yes, it applies to your business. To understand why the confusion exists, let’s talk about what the PCI standard is and why it is required for all businesses that accept credit cards.
The PCI Security Standards Council was formed in 2006 by AMEX, JCB International, Visa Inc., MasterCard and Discover. The Council established PCI Data Security Standards (DSS) which is a set of guidelines regarding cardholder data security. The official site for PCI Compliance, contains a great source of information for merchants.
Any merchant or financial institution that handles cardholder data is subject to the PCI DSS Standards. Merchants mistakenly assume that if their credit card processor or merchant services provider doesn’t require them to be PCI compliant, that they are exempt from the PCI standards. That is unfortunately false. When a processor or provider doesn’t require a merchant to validate their PCI DSS compliance; they are simply taking a lax approach to the standards.
Should a breach occur at a merchant’s location that has not attested their compliance and taken all steps to secure cardholder data as outlined in the PCI DSS; the merchant, not the processor, is responsible for the breach. Another common misconception is that a breach only impacts larger merchants and therefore, smaller clients aren’t at risk. On the contrary, according to TrustWave research 90% of data breaches impact small merchants!
Breaches are expensive! PCI DSS requires that even if it is suspected that a merchant has a breach (not confirmed), they must undergo a forensic examination to determine if a breach actually occurred and if so, to what extent. The examination is conducted by a certified third party auditor and is costly. If a breach is confirmed, the fees and expenses will continue amounting to upwards of $36,000 for a small, Level 4 merchant. That annual fee isn’t so bad considering the alternative!