PCI compliance requires that any business that processes transactions, stores credit card or card holder data MUSTbe compliant with the PCI DSS (Payment Card Industry Data Security Standards). If you handle or accept credit cardpayments then this means you too. Non-compliance is not an option and the fines and consequences are hefty.
Credit card data, personal information and other private data attacks are a big part of “white-collar crime”. Anonymity from the crime via internet provides a larger problem and possess bigger treats as the attacks can be launched from anywhere in the world, even from within your own organization. Business size and type has little to do these days with potential data breeches and attacks as some believe that “any data will do” no matter what size the organization or business.
Plain and simple, PCI is not optional and should be considered a key business policy to practice compliance. The PCI Security requirements have been put in place to secure the data and everyone must become compliant. Non-compliancy brings about fines and penalties from the payment card industry and providers. Fines can include the following:
- Fines of $500,000 per data security incident
- Fines of $50,000 per day for non-compliance with published standards
- Liability for all fraud losses incurred from compromised account numbers
- Liability for the cost of re-issuing cards associated with the compromise
- Suspension of merchant accounts
Weight out your options...
How important is your business, your livelihood and your personal and business information? Are you willing to take the risk of a data breech or attack? In addition to the fact that a single data breech can be devastating to you and your business, put you out-of-business and much worse, the fines and penalties can be just as massive. The above mentioned penalties are good indicators of what one can expect but they can get heftier and more expensive. It is simply not worth the risk and either a data breech or the fines and penalties can be devastating not to mention that you can lose your merchant account and will not be able to accept credit cards as payment.
What do I need to do?
Your processor will be able to provide you with a PCI product or service in which you will be able to fill out a PCI questionnaire known as an SAQ (self-assessment questionnaire). There are 4 merchant PCI levels and each one has its own qualifications. Check with your provider to see which PCI category Level 1-4 you belong in. The SAQ will ask questions that pertain to your business and business type, computer networks, how your store your data, security (both physical and logical), policies, audit and tracking, training and awareness. Not only should you become PCI compliant but you also, periodically, go over the requirements for training purposes and to reassess PCI as the business grows or changes.
What happens if I am breached?
Currently 38 states have enacted some sort of breach disclosure law. In general, most state laws follow the basic tenets of California's original law which was enacted in 2002. Companies who are breached must immediately disclose the data breach to customers, usually in writing. Companies must also notify their processor who will then notify the bank. At that point the processor or bank will initiate a PCI DSS audit on the merchant to see if the merchant was in fact PCI DSS compliant at the time of the breach.
In case of a data breech you must report and disclose this to your customers, business partners, banks and providers. This is the law known as California SB 1386 which most states follow and adhere to. So, in essence, you have to make this public knowledge. The processor and PCI organization will then need to determine whether the business was or was not PCI complaint at the time of breech and will then determine which course of action to take.
The merchant is obligated and expected to report any data breech and anything to the contrary can result in law suit and prosecution.