The PCI Security Standard Council's PCI-DSS 3.0 compliance was made effective January 1, 2014, but vendors were given until January 1, 2015 to meet these new regulations. With so many aspects to running a business, these new regulations may have gone unnoticed, but Savvior’s team of IT consulting experts in Pittsburgh is here to tell you that’s a mistake. That’s why we’ve put together this article. We’re going to go over
Trust us. You don’t want to be caught underperforming these PCI regulations. Let’s get started.
Why PCI Compliance Matters
Screenshot taken from PCI advertising material
Do you accept credit cards on your website? Then you should be familiar with the PCI-DSS released by the PCI Security Standard Council. If not, you’ve probably been non-compliant and we need to fix that.
The PCI is a set of security guidelines for any business or website that supports transactions through credit cards. The safe exchange and use of card numbers and customer information is the main goal of the PCI. Following the PCI helps to cut down on the potential for data security breaches resulting in customer information being leaked and other mistreatments of customer data. For no other reason, PCI compliance is a way of making sure your customers stay safe, but maybe that’s not convincing enough for you.
PCI non-compliance can also result in major costs for your business. Here’s a quote taken the PCI Compliance Guide:
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.
Though the costs of maintaining a PCI compliant website and business may be a nuisance, the costs associated with non-compliance can spell the end for some businesses.
Further, PCI compliance is a marked promise to your clients that their information is safe in your hands. Without it, your business may lose credibility with your client base, sending potential customers to your PCI compliant competition. Honestly, given the choice, would you rather the company committed to keeping your information safe, or the one that isn’t? It’s a simple choice for clients, and it’s a simple choice for you.
Now that you know you need to be working toward PCI compliance, let’s take a look at what you need to be doing.
What’s New About PCI 3.0
Figure taken from PCI DSS 3.0
Thankfully for you business, much of the lengthy new requirements have very little general affect. Most updates are minor and have little to do on the merchant end of the transaction chain. Our team of IT consulting experts in Pittsburgh have sifted through these smaller updates and found that there are 4 key themes within the new compliance document that businesses that fall under PCI guidelines should be familiar with.
If this is the first you’re hearing of PCI compliance, you aren’t alone. The PCI Security Standards Council is aware of the lack of understanding and wide-reaching awareness of their cause. That’s why, in this version of the PCI DSS, they’ve added an initiative for greater education surrounding transactional security. They hope this bolsters a “culture of security” so that everyone from the cashier to the bank manager are aware and capable of battling data breach.
“Business as Usual” Integration
The new update also includes a list of best practices that allow security to be a more integrated aspect of everyday business. Rather than a single, half-hearted, annual validation exercise, the PCI hopes this will help to make security more of a year-round commitment.
Clearer Intent and Testing
Before it was possible for businesses to perform half-hearted penetrative tests on their systems meant only to confirm they were doing fine and they could get on with business. Under the new version of the PCI DSS, this is no longer possible. The spirit of these penetrative tests has been clarified so that businesses understand they are meant to find weaknesses that may be overcome, and the vigor of these tests should reflect that.
Shared Responsibility and Accountability
This new update -- probably most importantly -- makes it clear who is accountable for security breaches -- and it’s everyone. The new update will no longer allow for anyone along the transaction chain to pass blame to the next. Everyone from the cashier to the bank manager is responsible for compliance and security standards.
How you can get started
Screenshot taken from PCI Security Standard Council’s webpage
The Security Standards Council webpage has a number of resources for businesses trying to make their way to compliance. Their goal is to make the world of online transactions safer, and part of that is making compliance as simple and accessible as possible. But that doesn’t mean compliance can happen overnight, or that it won’t cost anything for your business. Savvior understands the technical aspects of producing a PCI-compliant website and maintaining that compliance. Our team of IT consulting experts in Pittsburgh knows how little time businesses can devote to such tasks -- as important as they are. Why not let our team of IT consulting experts in Pittsburgh do the work for you? Contact us and we’ll evaluate your eCommerce setup. From there our IT consulting experts will be able to build your PCI compliance from the ground up.