If you handle, process or store credit cards in any manner, you are required to comply with PCI DSS, or Payment Card Industry Data Security Standards. This is a set of LEGAL requirements you must abide by to maintain a secure environment. If you violate them, you will incur serious fines, legal fees, reputation damage, and more.
Are you subject to them, even if you only take credit card payments over the phone?
Absolutely! If you have clients that pay you direct by credit card, you’re subject to these laws.
What is PCI Compliance?
When you or any other business takes a customer’s credit card, you receive a lot of sensitive data. The payment card industry (PCI) sets security standards for all businesses that deals with credit card information so that your customers’ sensitive data is protected.
The major credit card brands, which include American Express, Discover, MasterCard, and Visa, established these standards, known as the Payment Card Industry Data Security Standards (PCI DSS), and continue to manage PCI compliance in accordance with these standards.
Even if you’re a very small business, you must complete an annual PCI self-assessment and you may also be subject to network security scans each quarter.
You must comply with all applicable standards even if you only process one credit card transaction per year.
What Does It Cost to Be PCI-Compliant?
The cost associated with PCI compliance varies according to your merchant classification level. For small businesses, PCI compliance costs can be as low as $10 dollars a month, but can vary a bunch depending on a variety of factors including your business type, software, hardware, vulnerability scanning, and the SAQ (Self-Assessment Questionnaire).
These PCI compliance costs, however, are minimal compared to the costs of the non-compliance fines, which payment brands can adjust as they wish, ranging from $5,000 to $50,000 in fines.
All it takes is an employee writing down a credit card number in an e-mail or on a piece of paper to violate a law; and then you’ll be left with legal fees, fines and the reputation damage incurred when you have to contact your clients to let them know you weren’t properly storing or handling their credit card info. If you don’t maintain compliance with the PCI regulations, you can have your ability to take credit cards denied permanently.
A great resource is the PCI Security Standards Council, or www.pcisecuritystandards.org.
Establishing a PCI compliance plan and updating it regularly can help prevent data breaches, keep your costs down, and maintain your customers’ trust and loyalty.
Getting compliant – or finding out if you ARE compliant – isn’t a simple matter. It requires an assessment of your specific environment and how you handle credit card information. If you want assistance in figuring out if you’re complaint, call us at 636-542-8653, or take your chances.