The first article in the series dealt with “The Basics” of PCI Compliance (see previous article here). Now we want to tackle what is expected of you. One of the most complicated pieces of the process can be understanding what is your responsibility and what is your credit card processors responsibility. We will try to boil down the issue of PCI Compliance to the essentials as much as possible. Regardless of who you are or what your business does, you should always have a trusted advisor that you can talk to about your merchant account or credit card processing solution. (For information on how to find someone, see my previous article on Finding a Trusted Advisor)
Before we go into any more detail, if you would like information on PCI definitions, FAQs, etc, please see the PCI Security Standards Council FAQ Area.
The entire process of PCI Compliance is aimed at reducing the chances that your business will do something that will cause your customers’ sensitive information to be exposed and used for fraudulent use. One of the biggest misconceptions is that your credit card processing company is supposed to take care of everything and that if something happens the pressure is on the processing company. If you don’t get anything else from this article, you should understand that your company’s PCI compliance is 100% your responsibility.
Your credit card processor and the credit card industry is compelled to help ensure that sensitive data is not readily vulnerable to theft because if your business experiences a breach and is forced to file bankruptcy, the processor is held responsible for your breach. Consequently, everyone up the chain from you must also be PCI compliant including the manufacturer that provides your credit card terminal or software, your credit card processor, and anyone in between that helps transmit the credit card data for transaction processing.
The simple answer to the question of what is expected from your business is:
- to go through the process of checking your business process and systems to ensure that you are limiting the chances of your customers’ information being taken by someone who shouldn’t have it
- to ensure that you and your employees are properly handling sensitive credit card and personal customer information
- to ensure that the hardware and software you use is compliant with the data security standards created by the PCI Council (See PA-DSS standards and PIN Transaction Security info)
- to scan your network, or have someone else do it, on a regular basis to ensure that there aren’t ways for hackers to gain access to customer information via your wireless networks or internet service.
Why should you care about PCI Compliance? Here is a very simple list:
- Your business could be seriously impacted or even bankrupted by a breach
- The Ponemon Institute’s 2009 Survey on the Cost of a Data Breach found that the average cost per compromised record was shown to be about $204, however of all the data breaches experienced by 45 organizations in 2009, the least expensive total cost for an organization was $750,000 and the most expensive was $31 million.
- The financial impact to a business that experiences a data breach is not just the cost of cleaning up the problem, it also causes a loss of customers and future business
- The cost of going through an annual compliance process usually costs less than $500, not a bad investment
- Just because your credit card processor shows “$50,000 of Security Breach Insurance” doesn’t mean that your solution is compliant or that your company is safe, especially when the least costly breach in 2009 cost the company $750,000.
Where can you go for more information?
- Visit the PCI Security Standards Council website at https://www.pcisecuritystandards.org
- Call your credit card processing company and ask them what their process is for PCI compliance is and what you need to do
- If you use a Point of Sale software, check with the company that supports your solution.
- Check with one of the many Qualified Security Assessors or Approved Scanning Vendors listed on the PCI Council website at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Hopefully this information and these resources will provide you with a chance to educate yourself on the topic of PCI compliance and help you better understand why and how the guidelines affect your business.
Thank you as always for reading, if I can do anything to help your business answer questions or point you in the right direction, please visit the “Contact Me” tab or just email me directly at takingcards@gmail.com
Thank you,
Ben Wallace
Posted by Ben Wallace 
