PCI DSS stands for Payment Card Industry Data Security Standard and is meant to ensure that merchants with a merchant ID i.e. businesses that store, transmit or process credit card information, provide a secure environment to protect this information to protect their clients from credit card fraud and data theft. It applies to all businesses, firms and merchants regardless of the volume of transactions handled or the business size. PCI requirements apply to any business or organization that uses debit or credit cards to pay merchants and it is mandatory to comply, which a business or organization does by obtaining a PCI certificate.
Given that businesses, firms and organizations are of different sizes and use debit and credit cards differently, a one-size-fits-all approach would not be very practical for PCI compliance. Thus there are four levels of PCI compliance to cater for different card processing requirements. Merchant Level 1 is for businesses over 6M transactions annually regardless of the acceptance channel. Level 2 is for business processing between 1M and 6M transactions annually, level 3 for businesses transacting 20,000 to 1M e-commerce transactions per annum and level 4 is for merchants processing 1M and below from all channels or lesser than 20,000 transactions per annum.
Lack of compliance attracts fines from card brands, exposes a business or organization to lawsuits and can lead to loss of customers. It also increases the security risks of a business since one cannot determine accurately if the credit card data they process or store can be stolen or if their payment processing system can be easily compromised.
There are many reasons for any business or organization to be PCI compliant. PCI compliance increases customers trust in your business and organization, which increases customers’ confidence and leads to greater customer retention due to increased trust and the convenience they enjoy since they can transact online or using credit cards.
PCI compliance also improves the entity’s reputation with trading partners, payment processors and acquirers. By being PCI compliant, a business or organization is in a better position to comply with other regulations such as SOX, which greatly speeds along any compliance efforts undertaken.
PCI compliance also saves money due to decreased liability and protects the business or organization from fines, lawsuits, insurance claims and loss of business due to being unable to process credit card transactions or customers not having enough confidence to pay using credit cards. If a merchant suffers from a breach, they have to pay for forensics to discover where the breach originated, monitoring of the compromised credit cards, replacement costs and any other charges or fines from payment brands and/ or the government.
PCI compliance also increases security since IT security must meet some requirements for a business to be compliant. This is achieved by ensuring businesses have sufficient security measures in place to protect the data and provides a benchmark with which businesses can determine how secure their systems are. Some of the requirements for compliance which result in increased IT security include installation of a good and regularly updated anti-virus and regular vulnerability testing of a merchant’s website to ensure it is secure. This ensures the safety of customers’ data and that of the system being used.
Peace of mind is another benefit accrued from being PCI compliant. By being compliant, you have ensured that the sensitive data you possess is protected, thus you are less worried about security breaches.
PCI compliance, while mandatory, is a cheap, quick and easy process and given its benefits, any business or organization doing credit card transactions should definitely take it up be compliant.