If your company utilizes online credit card transactions, then you have likely heard of PCI compliance and regulations. If not, then we should probably fix that. All companies that accept online credit card transactions must be PCI compliant. For those who don’t know, PCI is a set of security guidelines that businesses like yours need to follow. Its main goal is to ensure the safe exchange and use of card numbers and customer information. The guidelines are not meant to annoy and inconvenience you, but rather to help protect you from potential data security breaches and mistreatment of customer data.
Navigating and understanding these guidelines can be tricky. That’s why Savvior has assembled a guide to the most frequently asked questions companies have regarding PCI regulations.
1. What is the PCI Data Security Standard (PCI DSS) and Where Can I Find it?
The Payment Card Industry Data Security Standard (PCI DSS) is the formal name for the official set of security standards that all companies that accept, process, store or transmit credit card information must follow. It can be found on the PCI Security Standards Council website’s document library. Organizations can access its tools and support resources to ensure that they are correctly following the current PCI regulations. Everything from a glossary of terms to a ROC reporting template can be found on this webpage.
2. Does PCI Pertain to Debit Cards Too?
The short answer is yes. Any debit, credit, or pre-paid cards that are part of the five card associations that participate in the PCI SSC — American Express, Discover, JCB, MasterCard, and Visa International — are in scope for PCI. If your organization accepts transactions from any of these cards, then it will need to follow PCI regulations.
3. What are the PCI Compliance Levels?
PCI compliance levels are composed of four tiers that separate merchants based on the volume of Visa transactions they complete over a 12-month period. These transactions include credit, debit, and prepaid cards.
The levels are as follows:
Merchant Level 1: Merchants that process over 6 million Visa transactions a year
Merchant Level 2: Merchants that process between 1 million to 6 million Visa transactions a year
Merchant Level 3: Merchants that process 20,000 to 1 million Visa e-commerce transactions a year
Merchant Level 4: Merchants that process fewer than 20,000 Visa e-commerce transactions a year plus merchants that process up to 1 million Visa transactions a year
Most small-to-medium-sized businesses fall in level 4.
4. Does PCI Apply to Credit Card Transactions Over the Phone?
Yes, for sure. While credit card transactions aren’t as common as in-store or online ones, they still pertain to PCI regulations. If you didn’t know this before, then it is good that you know now. You can begin to take the necessary steps toward achieving PCI compliance so that you may best protect your company and your customer’s sensitive data and info.
5. If my Business has Multiple Locations, Does Each Individual Location Need to be Compliant?
This depends on whether each location is processed under the same Tax ID. If it is, then you don’t need to worry about starting the process towards PCI compliance for each individual location. Instead, you can validate your PCI compliance annually for all locations. You will, however, also have to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV), if applicable.
6. How Often are PCI Regulations Updated?
PCI regulations are routinely updated. Merchants should make sure that they are correctly following the most current regulations, especially since big changes can often come from these updates. For instance, the dominant encryption method for website security changed from Transport Layer Security to the Security Sockets Layer just from the PCI DSS version 3.0 made in January 2015 to the PCI DSS 3.1 in April 2015 alone. If you are not compliant with the latest regulations, you are putting your company at risk for heavy fines and harmful data breaches.
7. What are the Penalties for Non-Compliance?
So what exactly happens if someone finds out that your business is not PCI compliant? While PCI is not a law in itself, heavy penalties will still result if your company ends up compromised due to a breach caused by PCI non-compliance. Aside from the fines, card replacement costs, and forensic audits your company will have to pay, your brand will suffer major damage. The trust that you have just lost from your customers will not be easy to win back, especially as it pertains to their personal finance and information.
Following PCI regulations is important not only for avoiding heavy fees but also for ensuring the safety and security of sensitive information. Savvior understands that implementing them can be a long and arduous process. So why not let our team of IT consulting experts in Pittsburgh do it for you? Contact us now to begin your first steps toward PCI Compliance now.