PCI Compliance: FAQs

PCI compliance

Kristen Gramigna, Executive Chronicles | Despite that PCI compliance standards have been in place since 2006, there remains quite a bit of misunderstanding and confusion about what it means to be PCI compliant, and why it matters for the protection of your customers and company. Here are some regularly asked questions about PCI compliance.

Am I legally required to follow PCI compliant standards to accept credit and debit card payments? PCI compliance (which is short for “payment card industry”) isn’t law, but it’s a set of security standards that was developed in 2006 by leaders in the payment card industry to protect payment networks, processors and financial institutions, businesses that handle sensitive customer payment data, and customers who pay using debit and credit cards. Though you cannot be legally held accountable for not being PCI compliant, you can be if your business is involved in a breach and is found to not be PCI compliant. Depending on the nature of the breach and its impact, you could be subject to thousands of dollars in fines, fees — and, possibly, lawsuits.

Isn’t my business too small to worry about a breach?  Any business that accepts customers’ credit and debit cards for payment is responsible for protecting the sensitive data that corresponds to the payment method and the processes followed during the verification and approval of it throughout and after transaction processing. Under PCI compliance standards, sensitive data refers to information such as a customer’s 16-digit account number and/or the account number with the customer’s name, expiration date, service code, information on a card’s magnetic strip, and security codes on a card.

That said, the payment card industry security standards distinguish which PCI compliance standards merchants should follow based on the number of credit and debit card transactions they process over the course of a 12-month period and the payment brands they accept. For example, small businesses that process fewer than 20,000 transactions online, or fewer than one million credit or debit transactions in any channel, should follow Level 4 PCI compliance standards. This includes using payment acceptance and processing pages that are delivered directly from a third-party, PCI-validated service provider.

Don’t all payment processors guarantee PCI compliance? A payment processor that touts a “secure transaction” and that guarantees PCI-compliant processing aren’t necessarily one and the same. When you partner with payment processors that guarantee PCI compliance throughout the full transaction process, you have the assurance that they use tokenization technology and current encryption designed to protect sensitive data, and that their processes are current with the latest iterations of PCI compliant standards that change as technology and breach sophistication evolves.  Furthermore, PCI compliance isn’t just about what happens behind the scenes in transaction processing: PCI-compliant standards note that a business should not maintain records of customer’s credit card number in writing, even in circumstances when payment processing terminals temporarily malfunction.

Does PCI compliance mean I can’t accept credit cards by phone? No, but it does summarize specific standards that call centers should follow when processing customers’ payment information by phone, including never retaining the three- or four-digit verification number on the card, or the full 16-digit personal account number.

How do I know if my business is PCI compliant? PCI compliance is a mixture of using PCI-compliant payment processors and maintaining the security of your business’s IT infrastructure, networks, hardware, software and POS processes. The PCI security council recommends that all organizations that accept credit and debit cards conduct internal and external vulnerability scans at least once every quarter. An external PCI-compliance scan reviews external network connections that hackers could penetrate from outside the network; internal scans validate the security of networks, firewalls, point-of-sale equipment, devices and computers used in your business that could be breached. There many vendors who provide for-hire services to help small businesses conduct audits to detect potential vulnerabilities that could lead to a breach if left unresolved.

PCI compliance entails additional measures on your part, but familiarizing yourself with the security standards and implementing them into your processes are well worth the effort when it comes to protecting your business’s exposure to risk.

Author bio: Kristen Gramigna is Chief Marketing Officer for BluePay, a credit card processing firm. She has more than 20 years experience in the bankcard industry in direct sales, sales management and marketing. Follow her on Twitter at @BluePay_CMO.