The primary purpose of the PCI DSS is to reduce the risk of payment card data loss by preventing, detecting, and reacting to potential breaches or hacks that could lead to cardholder data compromise. In other words, the goal of the PCI DSS is to protect payment card data from criminal threats and to minimize data breach risk to merchants of all sizes.
DO I NEED TO BE PCI COMPLIANT?
Anyone who has a business that receives payments from customers who use their credit cards to pay needs to be PCI compliant – even if you only receive one credit card payment per year. The volume of transactions does not make a difference. Even if your website uses a 3rd party service like PayPal, Google Checkout, or Apple Pay you still need to be PCI compliant because your business receives payments via credit card.
WHY DOES PCI MATTER TO MY SMALL BUSINESS?
Attackers have been increasingly focused on small businesses. Attackers are focusing on any entity that processes or stores payment card data and may be vulnerable to compromise. Large financial institutions and large merchants tend to have expensive and substantial security to protect against attacks, but this level of security may not be feasible for a small merchant. Consequently, when searching for vulnerable targets, attackers are discovering that many small merchants haven’t implemented even the most basic security measures required by the PCI DSS. As a result, attackers increasingly are seeking to compromise small merchant environments through targeted “production line”-type attacks, which often go undetected for long periods of time due to a lack of monitoring by the small merchants.
If you are compromised, such that an attacker was able to access payment card data, you can be financially responsible for any resulting fraud loss and for other costs. Depending on the breach, you may be responsible for having a forensic examination performed by a PCI Forensic Investigator (PFI), which can be expensive.
WHAT IF I’M NOT PCI COMPLIANT?
If you do not meet the PCI standards for compliance and are compromised, you will be facing penalties and fines ranging from $5,000 to $500,000. The fines, however, are just the beginning of the overall damage caused by noncompliance.
If your company is not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. You will also be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years. The TMF, is essentially a BLACKLIST from which it is almost impossible to be removed.
If you do not meet the PCI DSS standards you will also be billed a PCI Non-Compliance fee. This is a fee that we charge monthly until you become compliant for PCI DSS.
HOW DO I BECOME PCI COMPLIANT?
Your first step in becoming compliant is to complete your enrollment. You can enroll online at: www.securitymetrics.com/pcidss/merchant_partners. If you have any questions or need help with the enrollment process, please call our Customer Service department at (866) 889-6176 and they would be happy to assist.