What is PCI Compliance and why do you have to do it?
PCI compliance applies to any merchant who wants to accept any kind of payment other than cash. For merchants, being PCI Compliant refers to maintaining the security standards set forth by the Payment Card Industry.
These standards are collectively referred to as the PCI’s Data Security Standards, or PCI-DSS. Every business that wants to accept credit card payments is required to comply with these standards for following best practices for secure transactions and for protecting their customers card data and private information.
As you can see, the ultimate goal of PCI Compliance is to make it much more difficult for hackers to gain access to the customer’s sensitive data by implementing multiple layers of security.
In addition to implementing security measures for safe transactions, merchants are required to fill out an annual Self Assessment Questionnaire (SAQ) as part of their compliance. eCommerce merchants are also required to complete a vulnerability scan which will perform an in-depth review of the merchants security environment each quarter. This questionnaire is generally where most merchants end up falling out of compliance and costing themselves a fine.
How to be compliant and avoid PCI Non-Compliance Fees.
A lot of people tend to think that the fee for non-compliance is just used as an expensive reminder for merchants or a convenient way for processors to make extra money. This is far from the case. Besides the fact that security measures are paramount for the customer’s safety as well as the business, fraud is extremely costly. But in the event that there were a data breach with a merchant who is not making an effort to maintain the security standards set forth by PCI, the card networks will actually charge the processor for the lack of compliance on the merchants part. In this way, a PCI Non-Compliance fee is a way for the processor to help to ensure that their merchants are maintaining a secure network, taking steps to protect cardholder information, and implementing strong access control measures in order to avoid being fined themselves. Especially since it is so easy to just be compliant!
Since the annual Self Assessment Questionnaire (SAQ) is where most merchants fall into the trap of non-compliance, it is important for processors and merchant service providers to help merchants realize that this questionnaire is important for them to take care of and not just a volunteer assessment, but it is also important for merchants to stay proactive and do what is necessary to ensure they are taking the security of their transactions seriously.
The SAQ is simply a collection of standard identifying questions about the business that will include the request for information such as all business locations that are accepting card payments, what type of business it is and the type of payments you are collecting, as well as basic vendor information. Since this questionnaire needs to be filled out annually merchants can easily set up a calendar reminder to help to make sure they are completing it on time each year.
How can we help our merchants become and remain PCI Compliant?
How does Bankcard Brokers provide merchants with support and guidance where PCI Compliance is concerned?
First of all, Bankcard Brokers never uses compliance fees as a revenue center. Any Non-Compliance fee is initiated by the acquiring bank, or their certified assessor, that our clients hold their merchant account with and are simply passed on to the merchant. It is always our main goal to help our merchants affordably accept credit card payments while maintaining the highest level of security for their customers and their own business.
Retail merchants have the majority of their security measures, and therefor compliance, built in to their secure payment processing solution. When it comes time for a merchant to complete their SAQ we will reach out by way of a reminder email as well as notifications on their monthly statement to help to remind them to complete the questionnaire on time. In the event that we receive notice that a merchant has failed to complete their SAQ and subsequently become non compliant, we will then reach out to them by phone and urge them to become compliant.
In addition to the SAQ, eCommerce merchants will also need to make sure they are completing a vulnerability scan. This scan must be completed quarterly with a company that is certified by their processor as a PCI SSC Approved Scanning Vendor. Bankcard Brokers makes sure to assist all of our merchants with communications with the vendor and the process to make it as seamless as possible to set up their quarterly scan schedule.
Yes, there is an additional cost that will come with completing the scan every quarter, however, that cost comes with the added security and protection from a breach that comes with knowing your vulnerabilities and being able to take action to fix them. More importantly, it also comes with added protection for the merchant in the event that there were a breach. Once the vendor has completed a detailed review of the merchants card data environment they will provide the merchant with their Report on Compliance (RoC) that can be turned into the PCI DSS as proof of PCI Compliance.
Merchants should view PCI Compliance as an ongoing process that will morph as technology advances and fraud adapts. Protecting sensitive data from fraudsters not only protects your customers, but also protects your reputation, brand and sales, as well as protecting your business from expensive lawsuits, insurance claims, and fines.
In the event that you ever find that you are being charged a Non-Compliance Fee, I urge you to give us a call right away. Our ETA-Certified Payments Professionals can answer any questions and advise you towards steps to become compliant quickly and as painlessly as possible. Likely, it is just that you haven’t filled out your questionnaire!!