If you accept credit cards for payments made to your business, you should always keep these operations compliant with the Payment Card Industry Data Security Standard, or PCI DSS. This will protect credit card holder data as well as Primary Account Numbers. If you don’t follow the PCI DSS, you have a higher risk of incurring credit card theft and fraud as well as significant fines. Problems involving a lack of PCI DSS compliance can also devastate the confidence that potential and existing consumers have in your business, resulting in long-term reductions to revenue.
To help you make the best choices when you’re looking for a merchant service provider, we’ve made a list of the most common misconceptions about PCI compliance.
If Online Payments Aren’t Involved, PCI Compliance Isn’t Necessary
It’s actually not that simple. If any business takes credit card payments, it must be compliant with PCI DSS. This is the same whether payments are transferred through mail order or retail. Compliance is mandatory if you process, transmit or store any credit card data. Since retail transactions commonly include tracking and storage of non-PCI-compliant data, all practices should be analyzed for compliance.
PCI Compliance is Only the Responsibility of IT Staff
It’s true that IT departments handle most aspects of PCI compliance, but continual efforts on the part of all employees in terms of reporting and quarterly assessments is important for long-term success. In most cases, IT staff will not be the sole processors of of every payment. This means that for the majority of companies, transmission and storage of credit card information should be of major concern to every worker. To ensure that PCI compliance is successful, companies should create a list of procedures and policies regarding payment by credit card. Every employee should become familiar with this list. Your PCI-compliant vendor can assist you with obtaining or creating theses lists.
Small Businesses Don’t Need to Worry About PCI Compliance
Smaller companies might be less likely to run into problems than larger ones, but this doesn’t guarantee anything. It’s true that fines are normally used only for companies that process more than a million transactions per year, but a breach of your business could mean you have to repay major chargebacks for the cards involved, and your ability to process credit cards could be suspended. At the same time, this situation might cause you to be moved to a higher compliance tier, increasing your operating costs in the process. Finally, provide your consumers confidence in your business and brand by being PCI compliant.
You Don’t Need to be PCI Compliant if you Don’t Store Credit Card Data
This is totally untrue. Although PCI DSS does apply to the processing and transmission of credit card data, it does matters whether the information is stored. As a result, any credit card data transmitted over faxes, cloud or other data transfer services, phone lines or networks must adhere to PCI compliance. The importance of protecting consumers means that there really is no way around these regulations. If you use merchant service providers to process credit cards, the responsibility is theirs. Still, it’s wise to check on the PCI compliance of any third-party processor you’re considering. This is vital because despite the transfer of risk, customers are sent to the servers used by the third party to pay.
PCI Compliance is Just a Set of Recommendations that Aren’t Mandatory
This is not true at all. In all businesses that process, transmit and store customer credit card data, PCI DSS compliance is required by law. The size of a business does not factor into this matter. The smallest companies, which might process fewer than 20 thousand transactions each year, are still required to be compliant even if they do not have to seek validation. On the Internet, criminals are getting smarter all the time. More advanced ways of stealing credit information are constantly being developed. To prevent this issue from causing bigger problems for consumers, PCI DSS compliance is required for all companies that handle credit card transactions. The simple fact is that no company can afford to go without PCI.