Last week's 'Whopper of a Breach' article regarding the $200K in fines levied against a Burger King Franchisee, caused alot of our merchants to call in and ask more questions about PCI Compliance.
- Could this happen to me?
- Is my business compliant?
- Do I need to do anything else to make sure my customer's cards are protected?
We have seen PCI Compliance go from an unknown, fee related issue to a very critical part of making sure businesses are insulated from breaches and fines. Instead of merchants asking questions like 'WHY do I have to be compliant', they are now asking questions like 'HOW do I protect myself and my customers'. Most larger companies are now dedicating staff members to insure they are not blindsided by breaches! And small businesses? Many small business owners now understand that a single incident can cause catastrophic damage to their business and they are taking the steps to become compliant, in an effort to protect themselves from the financial fallout of card breaches. Even micro businesses (think a few transactions per month or even per year) need to make sure they are PCI Compliant- NO ONE IS EXEMPT!!
If you accept any credit cards, the industry mandates apply to you!!
Today's Blog is dedicated to education and sharing the answers to the most commonly asked questions related to PCI Compliance. Please call our office (1-888-249-9919) or email our team (Service@TotalMerchantConcepts.com) if you would like a copy of our PCI FAQ, a free risk assessment or just confirmation on your PCI Compliant status.
PROTECT CARD DATA
PROTECT YOUR BUSINESS
GET PCI COMPLIANT TODAY!!
Myth: I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
Fact: This is a common misunderstanding with the payment card industry standard, that small merchants handling only one or a few credit cards a year are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism - then you need to be complaint.
Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
Myth: I can wait until my business grows.
Fact: Incorrect - the PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be PCI compliant, the fines and the compensation requirements by the banks (it typically costs between $50 and $90 to replace one card) could be substantial.
Myth: I can just answer 'yes' to all the criteria on the Self-Assessment Questionnaire (SAQ).
Fact: The Self-Assessment Questionnaire (SAQ) is a mechanism for getting the information about the level of your compliance to your merchant bank. The payment card industry standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been PCI compliant, the matter would be taken very seriously. You would be risking your whole business by answering ‘yes’ to the questions, when there is no factual basis for the answers.
Myth: I can wait until my bank asks me to be PCI compliant.
Fact: The dates for merchants to be PCI compliant are long gone. You are responsible for making sure you are in compliance. Waiting until the bank asks you could be very costly indeed.
Myth: Outsourcing card processing makes us compliant.
Fact: Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.
Myth: PCI will make us secure.
Fact: Successful completion of a system scan or assessment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
Myth: PCI is too hard.
Fact: Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without security or a large IT department. However, PCI DSS mostly calls for good, basic security. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyways to protect sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security – and PCI compliance. When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.