The Importance of PCI Compliance for Organisations Handling Card Payments
When customers provide card data either over the phone, online or via a mobile app, your company becomes vulnerable. It only takes one case of fraud or a data breach to damage your reputation, reduce customer loyalty, and even face a costly penalty. To reduce the risk of sensitive data being breached, companies must comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS applies to companies of any size that accept card payments. Taking cardholder data can pose many risks to businesses, so organisations which accept card payments and store cardholder data must host data securely using a PCI Compliant provider.
What is PCI DSS?
The PCI DSS is a security standard all organisations must comply with if they store, process and transmit cardholder data. The aim of this standard is to reduce the risk of fraud and protect sensitive data. There are twelve requirements all organisations handling card payments must meet in order to be compliant, and firms will have to validate their compliance annually. The standard is managed by the Payment Card Industry Security Standards Council, which includes the major card providers Visa, Mastercard and American Express.
Compliance with PCI DSS
Being PCI compliant means customer data is protected by several levels of security. This could be a combination of virtual and physical security measures. Sensitive data should be encrypted, password protected, and only accessible by authorised personnel. Additional physical security measures such as storing servers and computers in a secure, lockable facility may also be used. Some payment card data should never be stored, such as 4-digit customer PINs and the 3-digit CVV code on the back of the card.
In order to demonstrate compliance with PCC DSS, all organisations handing card data must complete an Attestation of Compliance form to certify that all requirements have been met. This form should be signed off by either the chief financial officer or head of compliance within your organisation. Firms must also have a quarterly network scan by an Approved Scanning Vendor, and some must undertake an annual on site assessment or a self-assessment questionnaire.
Penalties for Non-Compliance
If a security breach has taken place, and the organisation was not compliant with PCI DSS, they could be subject to a range of penalties. As compliant businesses are less likely to suffer a security breach, non-compliance often comes to light after data has been compromised. Card issuers can impose severe fines on a non-compliant company, companies may face increased transaction fees, and they might be completely prevented from accepting card payments.
With many retailers only operating online and credit and debit cards now the most popular payment method in the UK, being banned from accepting card payments following a breach could have catastrophic effects on business. Loss of customer trust, costly investigations and compensation claims and bad publicity also result from non-compliance, so it is in the best interests of all businesses to become PCI compliant.
Not being PCI compliant could be a costly mistake to your business. Choosing a PCI compliant payment provider will give you and your customers peace of mind that their sensitive data is suitably protected. For more information about PCI compliance and protecting your business from security breaches, please get in touch.