All merchants – large and small – who accept credit card payments are required to be PCI Compliant, but there is a lot of confusion about what PCI Compliance is and how to get (and stay) compliant.
PCI Compliance is a set of standards that are created and enforced by the Payment Card Industry Security Standards Council (PCI SSC). This council is made up of all the global credit card companies (Visa, Mastercard, AMEX) and the program is intended to provide greater protection to consumers and the industry from the online theft of credit card information. The compliance standards cover a twelve-step process for ensuring that everything from a merchant’s network to the payment application they are using is as secure as possible.
To learn more, access our
“Avoid a Credit Card Data Breach with PCI Compliance” - view it
A merchant’s bank or other financial institution who is providing the merchant account enforces the compliance standard. If a merchant is not compliant, they are not only at greater risk of cybersecurity attacks, but they could face penalties from their bank as well. The bank could assess additional fees or could deny applications for future merchant accounts. The even bigger risk to any company, however, is that if they do have a breach of their network and are PCI not compliant, they face a much higher risk for liability.
To better understand what PCI compliance is, the best place to start is to review the difference between two terms that are often used synonymously but mean very different things: PCI Compliance and PCI Certification.
- PCI Compliance – Achieving PCI compliance means that you are reporting that you are compliant with the standards based on a self-assessment - usually a questionnaire you receive from your bank. You indicate that you have reviewed all your internal systems and your payment processing application, as an example, and confirmed that you are meeting the requirements on an annual basis. Larger organizations may be required to have their network scanned.
- PCI Certification – PCI certification is a higher standard. It indicates that your corporation has been independently audited by a Qualified Security Assessor (QSA). Both merchants and service providers, such as payment application providers and hardware providers, can achieve certification. The PCI DSS and some of the global card brands, such as Visa and Mastercard, publish lists of service providers that have achieved certification. To officially meet the standard for certification, the audit is required.
In taking steps to achieve compliance, merchants must review many aspects of the payment process. One of the most critical components at the heart of the process is the software application that the merchants will use to process payments.
There are several questions a merchant should consider before deciding how payments will be processed and what application they will use.
These questions include:
- Will I process credit cards?
- Will I process credit cards using internal systems, such as in my ERP system, or will I do that externally, like an authorized website?
- If I’m going to use an integrated payment software application with my internal ERP system?
- For software payment solutions, will I purchase a PCI certified solution or just a solution listed as compliant, or will I develop my own solution in-house and take on the ownership of ensuring it is either certified by an auditor or meets the standards for compliance?
As merchants consider their options, the next question that will occur is “How do I know if my software is PCI Compliant?” We’ll review that question in Part 2 with the best practices on how to get and stay compliant.
Western Computer and ChargeLogic have helped many Retailers and other Merchants get a head start on PCI Compliance.