APS Payment has published a free Merchant’s Guide to PCI Compliance to help merchants understand and comply with PCI DSS standards. The Payment Card Industry Data Security Standard (PCI DSS) is the specific set of requirements designed to ensure all companies processing, storing, or transmitting credit card information maintain a secure environment. Keeping up with PCI DSS requirements is often overwhelming for the average merchant because it’s complicated and the rules constantly change. You must make sure all employees and systems that interact with credit cards are compliant. This includes the way employees handle credit card information, your network, ERP software, accounting, eCommerce, POS, and /or mobile applications.
Merchants can reduce the cost of PCI Compliance
There are various costs to maintaining PCI compliance and you could face penalties if you complete the process incorrectly. Merchants must stay diligent to keep up. New standards and requirements are released as necessary by the PCI Security Standards Council (PCI SSC) in response to evolving risks of data breaches, identity theft, and fraud. As criminals find new ways to defraud the banks, new standards must be released to stay ahead of the criminals’ attack curve. Maintaining knowledge of the changing requirements is daunting if you try to do it alone. The cost of doing it wrong can also result in expensive liabilities. The good news is that help is on the way!
4 Costs of PCI Compliance
1. PCI Compliance hidden fees and unexpected costs
- Non-Compliance Fines and Penalties – Businesses, and even the owners themselves, failing to comply correctly may be denied the right to process card transactions altogether in addition to the crippling ﬁnancial burden of ﬁnes. Severe financial penalties can range from $5000 to $100,000 monthly until you can prove that you have addressed all vulnerabilities.
- Processor Fees – Your processor company will often charge you for PCI compliance services. You will see this on your monthly merchant statement. APS Payments does not charge its merchants for maintaining this requirement on their behalf.
Vulnerabilities to data breach puts a Target on your back
Target’s infamous 2013 data breach involved 40 million credit and debit card accounts culminating in over $250 million in expenses and losses, due in part to heavy fines as well as lengthy litigation from both consumers and the card brands. Maintain proper PCI Compliance is not just to show due diligence -- it can promote your business from these harsh punishments.
2. Potential Liabilities according to PCI Security Standards
- Lost confidence, so customers go to other merchants
- Diminished sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines and penalties
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO and dependent professional positions)
- Going out of business
- PCI Compliance documentation – Keeping up with PCI Compliance for one person would be a daunting task. There are thousands of pages of official documentation published by the PCI SCC about PCI DSS. There are hundreds of pages explaining how to understand which forms to use to validate compliance. It would take over 3-4 days to review all of the PCI Compliance documentation. You can find it all in the PCI Security Standards Council’s Document Library.
- Know your compliance level and corresponding requirements – You need to check with each card network you use (Visa, Mastercard, Discover, AmEx, etc.) to learn what level applies to you. There are 4 different levels based on your 12-month transaction volume.
- Self-Assessment Questionnaires (SAQ) & annual risk assessment - This is a series of yes or no questions that help assess your PCI compliance. You need to select the correct SAQ based on how you accept credit cards. There are 9 choices found here in the PCI SSC’s website.
- Training on proper card data handling – It’s critical for anyone handling credit cards to have the appropriate training. Everyone should know not to write down the credit card number to process the payment later, but you’d be surprised how many people still take this risk.
- Training for in-person transactions – To prevent fraud, it’s important for every employee to confirm customer identity, verify signature and inspect the credit card. Any suspicious behavior over the counter should be immediately and discretely reported to a manager.
- Training on strong passwords and data breach avoidance – Most data breaches can be avoided with strong password training and enforcement. You should have strict password policies and practices for all employees. Consider password protection software applications that store and encrypt all your passwords. While you’re at it, it’s a best practice to train employees on how to detect suspicious emails from criminals trying to break through the network.
4. IT costs
- Update to v3.2.1 - PCI DSS v3.2 or prior was retired as of January 1st, 2019. Now, all validations must be to at least v3.2.1.
- Critical Security - Protecting your company from a data breach includes activities like:
- Securing remote access
- Patching and updating credit card processing software
- Maintaining virus and firewall software
- Regularly testing your security process
- Maintaining a policy that addresses information security for all personnel
- Conducting an annual internal security audit
- Never storing card data on self-managed internal servers or workstations
- Use the right equipment - Consider EMV terminals and make sure all equipment is updated and current.IT costs
- Quarterly PCI reviews - Conduct quarterly PCI compliance scans
There is a lot of complexity to preparing and maintaining PCI Compliance. The average merchant should not try to do it all alone. Our APS Payments team will help you develop a plan for your business to maintain PCI Compliance today and every day. Learn how to get ahead of the curve with PCI Compliance and download our free Merchant’s Guide to PCI Compliance.
In this guide, we will cover the following PCI Compliance topics:
- What is PCI?
- What are the Penalties for PCI Non-compliance?
- How to Get Ahead on PCI Compliance Anytime with these 10 Steps
- PCI Compliance Checklist
- Getting Help
- Next Steps
Contact APS Payments today and learn how we can help your company with PCI Compliance and streamline your credit card payment processing.