What is PCI Compliance?
The Payment Card Industry (PCI) must be in compliance with the Rules and Regulations set forth by the Payment Card Industry Data Security Standard (PCI DSS), which is administered by the Payment Card Industry Security Standards Council (PCI SSC). Originally formed in 2006, the PCI SCC was created by the five major payment card companies: American Express, Discover Financial Services, JCB International, Visa Inc., and MasterCard.
It was these industries, not the U.S. Federal Government who instituted these standards as a way of policing their own industry and guaranteeing the uniformity of payment card Cybersecurity and consumer protections. There are off-shoots which the Council manages, such as the Payment Application Best Practices (PABP) and the EMV (originally Euro-Pay, MasterCard & Visa) standards, whom they do not manage, but join with in collaboration.
While the penalties or fines which the SSC levies are not enforced by the government, they certainly have teeth, and ignoring them can be catastrophic for the violator. These companies control the bulk of the world’s payment card transactions, and it’s not a club many companies want to be barred from.
Many small business try to save a few bucks by underspending for their IT support and the Cybersecurity that should (but often doesn’t) go along with it. Going with the old IT support model of Time and Materials (hourly rate) – what we in the industry call ‘Break & Fix’ wherein an uncertified, generic IT Services ‘Guy’ shows up to try and fix whatever breaks
Although The PCI Compliance Guide does not publish or report the amounts of individual fines, they state in their Blog FAQs that: “The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.”
What that means is that the muscle the SSC wields encourages banks to make it very difficult for the violator to continue to conduct payment card transactions – in effect, potentially putting them out of business. What consumer in this day and age is going to keep transacting with a business when their payment options are sent back to the old days of mailing in a check or paying cash at the counter?
While retail merchants comprise a great number of the businesses that need to be PCI compliant, many
professional services commonly accept credit or debit card payments. A doctor’s office must meet both PCI and HIPAA compliance standards, among the requirements from other industry regulators. Each type of industry has its own group of compliances to adhere to.
As a renowned member of the IT Support Los Angeles Community, IT Support LA, a Managed IT Services firm, we are familiar with the various compliances any type of business needs to meet, and will institute the proper Cybersecurity measures to ensure that no data breach attempts are successful and the standards for all compliances are met.
PCI Assessment & Compliance Q & A
Q: What data falls under PCI compliance?
A: Pretty much all information concerning payment cards and cardholders falls under the purview of PCI protection – absolutely the information present on the cards themselves as well as any accounts connected to the cards.
Q: How do you know if you are PCI compliant?
A: The easiest and most reliable way is to ask whatever model of IT consulting services you use. If they either do not know - or even know where to find out – fire them and get a Managed IT Services firm to safeguard your business data. This is not an area where you can afford to have the Junior Varsity team on the gridiron trying to protect you.
There are certain online checklists, guides, and even scans that can be performed, but IT Support LA cannot verify their security, vouch for them or recommend them. This is an IT Support issue – best to let the professionals see to it – that’s what you pay them for.
Q: How do I become PCI compliant?
A: There are 6 basic steps:
- Assessment/Analysis: Identify the tier of standards you must meet and see where you stand now and where you fall short.
- Make all necessary changes/Cybersecurity upgrades
- Download the correct version of the Self-Assessment Questionnaire (SAQ) and fill it out.
- If you don’t use one already, find a provider that offers data tokenization, which stores your data in a secure web-based portal. Start with the IT Support service you use.
- Complete the formal Attestation of Compliance (AOC), then have a qualified security review and verify your compliance.
- File all your paperwork with the appropriate banks and/or payment card companies.
Q: What does it cost to become PCI compliant?
A: The initial cost varies, while the ongoing costs are based on the size of the company and the methods of transmission and storage. The range can be anywhere from $300 per year for small ‘mom & pop’ shops to over $70,000 per year for giant corporations.
Q: How many levels of PCI compliance are there?
A: There are 4 levels, with Level 1 being the most stringent and level 4 the least (although by no means lax). The levels are primarily based on the number of transactions per year and the higher the level, the less stringent the ongoing assessment processes.
Level 4: Applies to small businesses handling less than 20,000 eCommerce transactions and less than 1 million other transactions per year.
Level 3: The transactional range is between 20,000 eCommerce transactions to I million transactions other transactions per year.
Level 2: Between 1 million to 5 million transactions per year.
Level 1: The highest corporate level – ‘big box’ retail chains and companies like Amazon – 6 million or more transactions per year.