PCI Compliance Fines and Your Small Business: What You Need to Know
If your business accepts credit cards, you’re required to follow the Payment Card Industry Data Security Standards. Known as PCI DDS or PCI for short, these standards apply to any entity that processes credit cards, whether that entity is a B2B or B2C operation. This means even if your organization doesn’t have a storefront and you only accept credit cards from clients, you are responsible for following PCI guidelines.
As a business, it’s your responsibility to know the rules as they apply to accepting credit cards. Failure to do so means you’ll be paying hefty fines to your bank for failing to protect your customers acceptably. Most importantly, you’ll be letting down the very customers who trust you with their information. Here are a few things every business owner should know before accepting credit cards.
PCI vs. HIPAA
HIPAA requirements are set by the Federal government, overseeing how healthcare organizations handle consumers’ medical information. Unlike HIPAA, PCI standards are set by card issuers and are therefore not part of our nation’s laws. When you violate PCI rules, you’re actually accountable to the bank that issued each card you put at risk. This means if you experience a security breach due to your non-compliance, card issuers will put the responsibility on your business.
Fees for PCI non-compliance range in the thousands of dollars per month from the time the non-compliance is realized until the time it is fixed. All issues must be repaired for the business to be considered compliant, which means that you’ll be paying those fees each month until you’ve fixed things to each card issuer’s satisfaction.
Levels of Compliance
Credit card companies assign compliance levels based on the number of transactions a business process each month. Level 1 applies to merchants that process the largest volume of transactions in a given year, while Level 4 applies to low-volume merchants that specialize in small-dollar sales or rarely process credit card transactions.
Businesses take a self-assessment questionnaire in which they describe the credit card interactions they have with their customers. This questionnaire is used to validate their compliance with PCI rules. Businesses may also be required to provide validation of a passing vulnerability scan, conducted by an approved vendor, if they are specific types of service providers.
Your business should have top-notch security in place to protect information as it travels across your network. You should have a firewall in place to keep information safe as it is scanned or entered into your system. Credit card data should also be encrypted if it travels across open networks from your point of sale to your payment processor.
Most importantly, you shouldn’t store customer credit card information on your own server unless it’s necessary. If you choose to allow the customer to opt in to store credit card data for future purchases, make sure it is encrypted and secure. You should never store the three-digit validation number printed on the back of customers’ credit cards.
One of the biggest dangers to merchants is their own employees. Careless password behaviors put businesses at risk. It can be easy to become lax in your password policies. When a vendor issues a password, make a point of changing that password immediately. That way if an incident happens, the vendor won’t be able to blame you for the password being guessed.
In addition to changing default passwords, your business should also choose complex, difficult-to-guess passwords for any systems through which credit cards will be accepted. Make sure employees don’t write passwords down and leave them around and instill the importance of keeping password information top secret.
Encourage Employee Responsibility
For some businesses, protecting customer credit card data is more challenging than others. A business that accepts credit card orders by phone, for instance, may find that employees must regularly read back the numbers to verify them. If third-party vendors, untrustworthy employees, or customers are lingering nearby, those numbers could easily be infiltrated. If a customer gets into the habit of writing numbers down, those numbers could be left in the trash or on a desk, where they could fall into the wrong hands.
Employees should be trained to enter credit card data directly into a system without scribbling it down. If an employee must regularly read credit card numbers back, that employee should be isolated in an area of the office where the conversation can’t be overheard, even if this means putting a caller on hold and escaping to a private office that has a door.
As devastating as fines would be, a major breach could lead to revocation of your credit card acceptance privileges. In other words, you would no longer be allowed to accept credit cards from your customers and clients. You would also be required to notify affected customers, muddying your business’s reputation in the community. Some major companies still have customers holding a credit card breach against them, even after years with no incidents.
When you sign up to accept credit cards, make sure you read through the requirements specific to those cards. In addition to PCI compliance, you’ll also need to make sure you aren’t violating your agreement in any other area to ensure you remain in good standing with your processor and all applicable credit card companies.
Become EMV Compliant
Whether businesses are prepared or not, EMV is coming. If you don’t upgrade your equipment by October, you will be responsible for any fraudulent charges that occur as a result. While PCI standards don’t directly address EMV, the goal of PCI is to work in conjunction with EMV to keep customers safe.
Your business can reduce its fraud risks and keep credit card issuers at bay by simply upgrading to the latest equipment. When combined with all of the other security measures, you’ll avoid an incident and uphold the trust your customers put in you when they hand over a credit card for payment.
PCI compliance is a required part of accepting credit cards in your business. To stay on the good side of credit card issuers, it’s important to make sure every card you process through your systems is secure and encrypted as it travels. By doing so, you’ll satisfy credit card issuers as well as your own customers.