FAQs about PCI Compliance
Whether you've been dealing with mobile payments for a while or are brand new, you probably have questions relating to Payment Card Industry (PCI) compliance.
BluePay Chief Marketing Officer Kristen Gramigna relies on her 15-plus years of experience in the bankcard industry to answer frequently asked questions around PCI compliance and, of course, their answers.
:: By Kristen Gramigna, BluePay ::
Q: What does PCI mean?
The abbreviation PCI stands for Payment Card Industry. The abbreviation is most commonly used in association with the letters DSS, which stand for Data Security Standard. Combined, the term PCI DSS describes a set of standards established for the purpose of regulating security for credit card processing. It is important to understand that the term PCI is not a static or fixed category of regulation. Instead, PCI describes an evolving set of standards applicable to the handling of customer data and transactions.
Q: Who manages the PCI DSS?
PCI DSS is run by the PCI Security Standards Council, which is an independent organization established by a coalition of major credit card companies including Visa, MasterCard, American Express, Discover and JCB. These payment brands enforce and regulate these policies, not the PCI council. They essentially work to reduce risk from credit card information breaches, hackers and other cyber attacks on businesses of every level.
Q: What does the term “cardholder data” mean?
Any identifiable information assigned to or stemming from a credit card owner is cardholder data. Information includes: account number, card expiration date, name, address, social security number, birth date, and any other type of information that could lead to account access or identity theft. Always study the merchant account agreement with your payment processing company to determine where your responsibilities rest with cardholder data.
Q: What does PCI compliance mean?
PCI compliance pertains to a set of requirements established in 2006 to regulate and manage the processing, transmittal and storage of credit card information or cardholder data. The purpose of PCI compliance is to use these standards to protect customer data generated through credit card and other digitally driven transactions. When a system of transactions is “PCI compliant,” it means that payment processing is conducted according to best practices and standards of customer data protection set up by the credit card industry itself.
Q: Where can I read about PCI DSS?
The PCI SSC’s website provides complete information about PCI standards: https://www.pcisecuritystandards.org/security_standards/index.php
Q: How does PCI compliance affect e-commerce businesses?
Given that so many e-commerce transactions are conducted using credit cards, the protection of consumer data is key to the successful, long-term operation of any online business. That means all e-commerce should be conducted according to the standards of PCI DSS.
Q: What if I only accept credit card payments over the phone? Does PCI still apply?
All businesses that accept, process, or store cardholder data are required to be PCI compliant.
Q: Do PCI standards apply if we use a third-party payment processor?
Online businesses that conduct transactions through a payment processing company must still demonstrate PCI compliance in all phases of their operations. Using a third-party can provide significant protection and risk reduction, but the central operations of a business must also be PCI compliant.
Q: What are the penalties if my business does not comply?
The payment brands operating the PCI compliance standards look for accountability. That process may start at the banks, but the fines, which range from $5,000 to $100,000 per month for PCI violations, can be handed along to the merchant. A bank will generally terminate the relationship or significantly increase transaction fees to discourage further risks. Obviously, these penalties will affect your business operations in adverse ways.
Q: Are small businesses generally safer from hackers and data theft than large businesses?
You might think that hackers and data thieves would care more about big opportunities than small businesses. It isn’t true. Hackers are opportunists, and there are so many kinds of data thieves, you cannot hope to avoid cyber attacks through mere luck. That is why PCI compliance applies to all levels and types of businesses conducting credit card transactions.
Q: How do I handle PCI if our company has multiple locations?
The laws apply evenly across all U.S. states. That means all aspects of your operations—even regionally focused websites, microsites, and other payment portals—must be PCI compliant. Essentially, there are no exceptions.
Q: Do the PCI standards ever change?
The payment processing and credit card industries evolve as business practices grow and change. It is possible that regulatory standards from the previous year will prove outdated and be changed by the PCI. It is best to check the PCI website and consult with your payment processing company at least quarterly to make sure you are in full PCI compliance.
Kristen Gramigna is Chief Marketing Officer for BluePay (http://www.bluepay.com/), a provider of ecommerce payment processing. She brings more than 15 years of experience in the bankcard industry in direct sales, sales management, and marketing to the company and also serves on its Board of Directors.