PCI-compliant describes an organization that follows the Payment Card Industry Data Security Standard, also referred to as PCI DSS, a complex and comprehensive set of standards administered by the Payment Card Industry Security Standards Council (PCI SSC). The overall purpose of PCI DSS is to reduce credit card fraud by securely handling cardholder data throughout the acceptance, processing, storage and transmission of credit card information.
PCI standards have been in existence since 2006, and have evolved steadily to keep up with technology and fraudulent activities. Any organization that accepts credit cards, regardless of size, can and should be PCI-compliant — to protect its cardholders and itself.
Performance Card Service works with PCI-compliant processors that support the proper acceptance, processing, storage and transmission of a merchant’s transactions. This is extremely important, obviously; however, PCI compliance goes beyond the scope of your processor and affects aspects of your internal business, such as how you store credit card data (if you do) and the procedures you follow when accepting credit card orders over the phone.
Compliance guidelines for merchants vary according to transaction volume. Currently there are four levels of compliance, all based on the number of annual Visa transactions a merchant processes. The breakdown is as follows:
- Merchant Level 1 — 6,000,000+ annual transactions, all channels (card present, card not present, e-Commerce).
- Merchant Level 2 — 1,000,000-6,000,000 annual transactions, all channels.
- Merchant Level 3 — 20,000-1,000,000 e-Commerce transactions.
- Merchant Level 4 — Up to 1,000,000 annual transactions, all channels, or up to 20,000 annual e-Commerce transactions.
The 12 general areas of PCI DSS compliance are:
- Firewalls, to prevent hackers from accessing data.
- Password protection.
- Encrypted collection of cardholder information.
- Encrypted transmission of cardholder data.
- Use and maintenance of antivirus software.
- Updating of firewalls and antivirus software.
- Restricted data digital access procedures.
- Unique ID access for credit card access.
- Restricted data physical access procedures.
- Creation and maintenance of access logs.
- Processes for scanning and testing for vulnerabilities.
- Documentation, including equipment inventory, software, data access, data flow and PCI processes.
PCI compliance needs to be taken very seriously for many reasons. Data breaches are a constant problem for retail and commercial businesses alike. Large breaches at well-known companies attract lots of media attention and make people fearful of sharing their credit card data, especially when placing online orders. The ability to promote your business as being PCI-compliant helps reassure customers that their data is handled securely. Beyond the branding and customer retention advantages of PCI compliance, adhering to PCI standards reduces your risk of having cardholder data fall into the wrong hands. If fraud strikes, your business is vulnerable to financial losses to cover the cost of fraudulent transactions stemming from the data theft. Furthermore, even though your customers are unlikely to have to pay for unauthorized transactions, a breach on your end will still force them to go through the aggravation of getting new cards, experiencing the worry of having their cards stolen, and in some cases dealing with a damaged credit rating. All of these issues open the door to lost profits, lost customers and lost customer goodwill.
If you would like a review of your PCI compliance options, or would like to start working with a solid, PCI-compliant processor, contact us now for a review of payment solutions.