What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCIDSS or PCI) was introduced in 2006 to improve the security around payment transactions and cardholder details following concerns that the increasing number of digital payments were vulnerable to exploitation and fraudulent activity.
The standards were set by the major card companies such as Visa, Mastercard, American Express, JCB and Discover and are administered by the PCI Security Standards Council (PCISSC) who provide monitoring and training. However, enforcing PCI compliance remains the responsibility of the card companies.
Who needs to be PCI Compliance?
Any company taking payments via card or storing customer payment details have to be compliant, there are four tiers depending on the volume of payments taken. The more payments a company takes, the more stringent their systems need to be. Most small companies fall into tier 4, meaning they take less than 1 million card payments or 20,000 e-commerce payments a year. Companies that fall victim to a data breach may be moved to a higher level.
How do I become PCI Compliance?
At level four, companies need to ensure their card terminals are secure and that their in-house systems are suitable for storing any payment data. Most providers of card machines ensure their terminals are compliant, regularly automatically updating the software on the machines in much the same way as a virus checker works on a PC or laptop. In addition to this business owners have to complete an annual survey and a quarterly scan of their WiFi systems, nowadays many card companies provide this service for their customers for a small monthly fee, however existing customers have to opt in to this service.
What if I'm not Compliant?
There are two consequences of not being compliant, firstly your payment processing provider will levy a monthly fine, this can be a percentage of your takings or a set fee, usually in the region of £40 a month.
Secondly, and more worryingly, if a non-compliant company is victim to a data breach or fraud they may become liable for a much larger fine and be responsible for the costs of remedying the compromise.
I use a third party provider, am I Compliant?
Some companies don’t charge specific fees for securing their card-readers, these are most notably pay as you go providers without monthly contracts. However, although the card reader may be compliant through the supplying company you are still responsible for ensuring your workplace practices meet the standards, again this is monitored by an annual survey, if not completed you may be liable if you fall victim to a data breach.
Our Advice
If using e-commerce, contract payment terminals or taking payments over the phone we’d always recommend taking the option that allows your provider to ensure your compliant, as this is a low payment that is always good value for money in relation to the time and effort of ensuring compliance yourself.
If using a PAYG provider or not wishing to pay the small monthly premium the relevant survey documents and advice can be found on the PCISSC website (link available by clicking the PCISSC logo below).