Does your company handle credit card transactions? If so, then you are probably already familiar with the Payment Card Industry Data Security Standard (PCI DSS), which is a standardization that all companies who accept credit cards need to follow. PCI is supposed to benefit both companies and customers so that sensitive information from both parties is kept safe and secure. If you are a part of a company that does not accept credit cards but plans to in the near future, then you should familiarize yourself with the overall goals of PCI, how PCI can benefit your company, and how your company can start the necessary steps to become PCI compliant. To help you out, the IT consulting team at Savvior’s Pittsburgh office has assembled a comprehensive guide to PCI compliance for your Pittsburgh business.
What is the Purpose of PCI Compliance?
The PCI security standard was built to hold companies accountable for ensuring that credit card transactions flowed safety through their systems. The Payment Card Industry Security Standards Council (PCI SSC) oversees the ongoing revision of the security standards. Their overall goal is to improve the standards for ensuring total security during credit card transactions. The Standards Council was created by major credit card brands Visa, MasterCard, American Express, Discover, and JCB. These payment brands are actually the ones who enforce compliance among companies, rather than the council.
Merchants all fall into one of four levels based on their Visa transaction volume over a 12-month period.
The lowest level, number 4, is comprised of merchants with fewer than 20,000 transactions per year.
Level 3 is comprised of merchants that process 20,000 to 1 million Visa transactions.
Next is level 2, which includes companies that process 1 to 6 million transactions a year.
Level 1 includes merchants who process over 6 million Visa transactions in a year.
It is important to note that companies who have suffered a breach that ended up compromising their account data may be moved to a higher validation level.
Why Should My Company Be PCI Compliant?
Most credit card companies require PCI compliance. So the short answer to that question is that your company should be PCI compliant because it has to be. Monthly fines for selling online without being PCI compliant can reach up to $100,000. While becoming PCI compliant and following regulations to stay compliant can be long tedious work, it is definitely needed to protect both your customers’ and your company’s private information from identity thieves. Should your company ever experience a security breach from unsafe credit card transactions, it will experience a negative hit both in sales and in reputation. This kind of PR crisis will be hard to recover from. Not only that, but you will likely have to deal with lawsuits, fines, canceled accounts, and insurance claims from the inevitable fallout of the scandal.
But it’s important to remember the benefits of PCI compliance as well. Compliant systems are more secure. Customers who know that you are PCI compliant will be more open to trusting you and forming a strong relationship with your company. Following PCI DSS guidelines will also make it easier for you to comply with external federal and state data security regulations.
What are the Steps I Need to Take to Make my Company PCI Compliant?
To begin, you will need to determine what level your business is on based on the number of credit card transactions it goes through within a 12-month period. You will also need to research the various security standards that apply to businesses within your industry. They tend to vary depending on how your business is run and how you handle customer transactions. To help determine your company’s compliance level, you will need to fill out the self-assessment questionnaire (SAQ). This is a guidebook that will walk you through each requirement to help you determine what pieces are missing in your company’s payment security. If your business falls short of any of these criteria, you will need to plan out time to make the necessary security upgrades for your business before taking the SAQ again.
You will then need to hire a trusted IT professional to build and maintain a secure IT network. He or she will have experience in building a PCI compliant network that fits all of your business operations and needs. Once you and your contractor make the necessary changes outlined by the SAQ test, you can update your SAQ results and then fill out a formal attestation of compliance (AOC). This form functions as a claim that your business is completely PCI compliant. Once all of the paperwork, including your SAQ and AOC, is completed, you will need to submit it to credit card companies that are part of the PCI SSC.
Savvior is here to help your company in Pittsburgh become PCI compliant. Whether you need a guiding hand or a full-on partnership to help your process toward becoming PCI compliant begin, Savvior is equipped to address and manage all of your needs. In the past, Savvior has provided PCI compliant web hosting for companies and worked with QSA teams to ensure that a company’s web solutions are PCI compliant. Savvior will work with your company to execute a unique and efficient strategy toward achieving PCI compliance to help get you off the ground.