If you clicked to read this blog post, chances are you are already familiar with PCI compliance and what it entails; but as a refresher from another one of our PCI compliance blog posts, Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI Security Standards Council was formed in 2006 and is comprised of the top 5 credit card brands (American Express, Visa, MasterCard, Discover, and Japanese Credit Bureau). The Council has no legal authority, but its standards really should be followed in order to accept credit card payments and help safeguard consumer data.
Millions of businesses have merchant accounts and accept credit cards. If a business chooses not to follow PCI standards, it can mean hefty fines and even the loss of the right to accept credit cards in the future. Alarmingly, Verizon’s 2018 Payment Security Report, revealed a drop in PCI-DSS compliance for the first time since 2010 – only 52.5% of organizations were compliant. According to Ciske Van Oosten, Senior Manager of Global Intelligence at Verizon, “It’s not a good trend. We know that organizations that do not maintain PCI-DSS compliance, those are the ones that get breached”.
Unfortunately for small businesses, when it comes to surviving a data breach, you don’t stand much of a chance, but there is a glimmer of hope. According to Verizon, there hasn’t been a single confirmed data breach of a business that was fully compliant with PCI-DSS in the last 14 years. This means when it comes to deciding whether or not you want to take the steps to make your small business compliant, it really isn’t much of a choice after all.
Even though this standard has been around for over a decade, nearly half of all businesses are still non-compliant so we’re setting the facts straight with answers to 5 common PCI DSS misconceptions and myths. [In a hurry? Check out the full infographic here.]
"I’m just a small business, I don't need to worry about PCI compliance"
Size doesn’t matter. Unless you want to be hit with fines or a data breach, your business must be PCI compliant even if you’re so small that you only processes a single credit card payment each year. There are, however, varying levels of compliance for each of the top credit card vendors, so your small business doesn’t have to adhere to the same exact regulations as a multi-billion dollar business. For example, in Visa levels 2-4, the annual PCI validation requirements are the same. Annually, these merchants must complete a Self-Assessment Questionnaire and submit an Attestation of Compliance (AOC). Quarterly, they must conduct a network scan by an Approved Scan Vendor (ASV). Level 1 merchants must file a Report on Compliance by a Qualified Security Assessor or an internal auditor, submit an annual Attestation of Compliance, and conduct a quarterly network scan by an ASV, if applicable.
"PCI compliance is an IT problem, not mine"
Although your IT staff may implement your PCI-related systems, management needs to be the driving force behind compliance attainment; and every single employee in your organization should be aware of the requirements needed to protect your customers. PCI compliance is wholly a team effort. And once you get to the finish line, you keep going. Compliance is an ongoing process of assessing, addressing, and maintaining. The risks of non-compliance influence your customers, reputation, and entire organization so everything (and everyone) is at stake.
[bctt tweet=”PCI compliance is wholly a team effort. And once you get to the finish line, you keep going. ” username=”adktechs”]
"Only e-commerce companies have to be PCI compliant"
Nope. If your company stores, processes, or transmits cardholder information, complying with PCI DSS is important, regardless of whether or not your sales take place online or in a brick-and-mortar shop. This includes financial institutions (banks, lenders, insurance companies), merchants (retailers, restaurants, hospitality), and service providers (data centers, call centers, MSPs). Between unsegmented networks, skimming, and lackluster passwords, the POS systems that can be found in traditional retail shops are typically even more at risk than e-commerce solutions. This means if you’re running a business where you don’t sell merchandise online, it’s more crucial than ever to follow PCI requirements.
"I outsource my credit card processing so I'm automatically PCI compliant"
Accepting credit card payments online through a third-party vendor may seem like the easy way out. For a small fee, they process your payments, worry about regulations, and you get paid, right? Not quite. While it’s true that some vendors act as the merchant of record for your transactions and assume the responsibility of maintaining PCI compliance, that doesn’t mean you’re automatically PCI compliant or off the hook. Your internal business environment must still remain compliant, too. Improper on-site storage of credit card data, sharing accounts, and not using a firewall or AV software are all violations of PCI DSS and your responsibility.
[bctt tweet=”While it’s true that some vendors act as the merchant of record for your transactions and assume the responsibility of maintaining PCI compliance, that doesn’t mean you’re automatically PCI compliant or off the hook. ” username=”adktechs”]
"PCI requirements are too complicated"
With addendums and subsections galore, it’s easy to see why so few businesses put in the effort to comply with PCI DSS. If you break it down into the basic principles, however, it’s much easier to digest. There are actually only 12 PCI requirements, addressing 6 goals. Plus, when you consider the fact that maintaining compliance protects your customers, your business reputation, and saves you money (data breaches are ex-pen-sive), you realize it’s worth a bit of leg work. Besides, you’ve got an expert in your corner (hint: it’s us).
You're not in this alone.
We’ve got you covered.
Assessments | Remediation | ASV Certified Scans & Reports | Mandatory Documentation | Ongoing Compliance Services