Intro to PCI Compliance: Safeguard Your Merchant Account

What is pci compliance? How to ensure your business has liability protection against a data breach.

The ease and convenience of shopping with credit and debit cards makes the ability to process credit transactions a powerful tool for any business. Whether you have a brick-and-mortar store, a Mail-Order or Telephone-Order (MoTo) company, or an eCommerce based company, having a merchant account that allows customers the option of paying with a credit card can significantly increase repeat business and profits. Those benefits come with certain responsibilities however: when you take a customer’s sensitive financial and identity information, that customer must be able to trust that their information will be safe in your hands. This is the purpose of PCI compliance.

What is PCI Compliance?

The Payment Card Industry Security Standards Council (PCI SSC) was assembled by the five major payment card issuing companies, Visa, MasterCard, American Express, JCB, and Discover, in order to develop a set of minimum standards of data security for merchants who accept credit card transactions. This standard, the Payment Card Industry Data Security Standard (PCI DSS), applies to any merchant that accepts, stores, processes, or transmits any credit or debit card data, including personally identifiable cardholder information such as name, address, account number, and expiration date.

Compliance with the PCI DSS means verifying that, as a merchant or other company that interacts with this sensitive data, you can keep that data secure. This means, among other measures, maintaining a firewall, anti-virus programs, and security software on any computer systems that collect or store payment card data and connect to the Internet, as well as restricting access to any physical records containing this information. Verifying PCI compliance is not a one-time event; your computer systems may need to undergo and pass a vulnerability scan quarterly or annually in order to maintain compliance. Nor is PCI compliance a “set it and forget it” event; just because you have passed PCI certification does not mean that you can relax; PCI compliance is a “minimum” of what you should be doing to securely handle payment data, it does not mean that your systems are foolproof.

How do I make sure I’m PCI Compliant?

PCI compliance may sound like a complicated undertaking, and a lot of effort for a small business. However, there are a number of excellent reasons to make compliance a priority if your business accepts any form of ACH or credit/debit payment data. The most obvious reason is trust – a customer will only give you their card information for a purchase if they have some assurance that you can keep it safe from fraud and identity theft. Maintaining that trust invites repeat business and word-of-mouth advertising, and helps you cultivate a reputation that will attract partnerships with acquirers and payment brands so that your company can flourish. Maintaining compliance with PCI SSC standards as they are updated to counter new threats helps your company stay ahead of future threats, and provides a framework for your company to build other electronic security measures.

What happens if I’m not PCI compliant?

The dangers of noncompliance are likewise significant. If your customers’ card data is compromised, the repercussions are severely damaging for your customer relations, the financial institutions involved, and your business. Not only will such a breach precipitate an enormous loss of business from your customer base, potentially impacting any publicly-traded stocks and your standing in the community, but it can have catastrophic consequences on your ability to conduct business in the future. The processing bank that holds your merchant account can be fined up to $100,000 for PCI compliance violations, and much of that can and will be passed down to you. In addition, your processing bank may cancel your account and place you on the TMF or MATCH file, which would mean you would have a very difficult time obtaining another merchant account. You may also be vulnerable to government fines, insurance claims, and lawsuits.

Maintaining PCI compliance is an important step in protecting your company from the consequences of data theft. Adhering to the minimum security standards established by payment card industry experts is essential to validating your customers’ trust that you will safeguard their financial information and safe harboring your company from reputational damage and heavy fines.

Learn More

You can of course read more on the official PCI SCC’s website, www.pcisecuritystandards.org, or contact Durango Merchant Services to discuss PCI compliance for your own merchant account; one of our dedicated account managers will be happy to review the best PCI compliance options available for your company.

You can also learn more about our Javascript solution for obtaining SAQ A-EP status (the lowest and easiest level to obtain for ecommerce merchants) on our blog. Our solution makes sure that your website doesn’t actually touch the credit card data ensuring you the highest level of security and lowest amount of liability.