What is PCI Compliance, and why do merchants have to do it?
The Payment Card Industry (PCI) sets the standards for security when processing payment card transactions. PCI compliance refers to the steps that merchants take to maintain the security standards set for accepting card payments. Every merchant who wants to accept any kind of payment other than cash must show they have completed PCI Compliance. For merchants, being PCI Compliant refers to maintaining the security standards set forth by the Payment Card Industry.
We collectively refer to these standards as the PCI’s Data Security Standards, or PCI-DSS. They require every business that wants to accept credit card payments to comply with these standards. This ensures they are following best practices for secure transactions and for protecting their customers’ card data and private information.
As you can see, the goal of PCI Compliance is to make it difficult for hackers to gain access to people’s sensitive data by implementing multiple layers of security.
In addition to implementing security measures, PCI requires merchants to fill out an annual Self Assessment Questionnaire (SAQ). And they require eCommerce merchants to also complete a vulnerability scan every quarter. The scan performs an in-depth review of the merchant’s security environment and identifies weaknesses. The Self Assessment Questionnaire is generally where most merchants end up falling out of compliance. Which, in turn, results in being charged a fine or PCI non-compliance fee.
How to be compliant and avoid PCI Non-Compliance Fees.
A lot of business owners think the fee for non-compliance is just used as an expensive reminder or a convenient way for processors to make extra money. This is far from the case. Besides the fact that security measures are paramount for the customer’s safety as well as the business, fraud is extremely costly. And if there were a data breach at a merchant who’s not maintaining security standards, the card networks actually charge the processor for the lack of compliance on the merchant’s part.
PCI Non-Compliance fees are a way processors to avoid being fined themselves and pass the costs to the non-compliant party. Processors need to ensure their merchants are maintaining a secure network, protecting cardholder information, and implementing strong access control measures in order to avoid being fined themselves. Especially since it is so easy to just be compliant!
Since the annual Self Assessment Questionnaire (SAQ) is where most merchants fall into the trap of non-compliance, this is what we’ll focus on. It’s important for processors and merchant service providers (MSPs) to help merchants realize this questionnaire is necessary, not just a voluntary assessment. But it’s also important for merchants to be proactive and do what’s necessary to ensure the security of their customer’s data.
What is a Self Assessment Questionnaire?
The SAQ is simply a collection of standard identifying questions about the business. It requests basic vendor information, all business locations that accept card payments, business type, and the payment types collected.
The questionnaire also contains a series of yes/no questions pertaining to PCI Data Security Standards requirements. Answering Yes to all questions means you are complying with all PCI-DSS requirements. For security standard not yet met, you must explain which actions you’ll take to correct it and the expected date.
Since this questionnaire needs to be filled out annually, merchants can easily set up a calendar reminder to help to make sure they are completing it on time each year.
How can we help our merchants become and remain PCI Compliant?
First of all, Bankcard Brokers never uses compliance fees as a revenue center. Non-Compliance fees are initiated by the acquiring bank, or certified assessor, that our clients open their merchant account with. We simply pass the assessed fee on to the merchant. It is always our priority to help our merchants affordably accept credit card payments while maintaining the highest level of security for their customers and their own business.
Remember, Data Security Standards are set and enforced by the Payment Card Industry. We can’t do your PCI Compliance for you. It’s illegal. But we can support you by reminding you when it’s due and help answer any questions you might have. We can help connect you with the proper vendors to assist security and vulnerability scans. And we can help by reminding you how important it is for merchants to do their part to fight credit card fraud.
How does Bankcard Brokers provide merchants with support and guidance where PCI Compliance is concerned?
Retail merchants have most of their security measures, and therefor compliance, built into their secure payment processing solution. This means they’re already meeting the data security requirements. When it comes time for a merchant to complete their SAQ, we reach out by sending a reminder through email. In addition, we include notifications on their monthly statement to help to remind them to complete the questionnaire on time. If we’re notified a merchant has failed to complete their SAQ, we’ll call them directly and urge them to become compliant.
E-commerce merchants have one additional step to remain PCI Compliant. In addition to the SAQ, eCommerce merchants also need to make sure they complete their vulnerability scan. This scan must be completed quarterly by a company certified by their processor as a PCI SSC Approved Scanning Vendor.
Yes, there is an additional cost that comes with completing the scan every quarter. However, that cost brings the security and protection that comes from knowing where your vulnerabilities lie and how to fix them. More importantly, it also comes with added protection for the merchant in the event that there was a breach.
Bankcard Brokers can assist eCommerce merchants with the process. We can help with all vendor communications to make it as seamless as possible to set up your quarterly scan schedule. Once the vendor has completed a detailed review of the merchant’s card data environment, they provide the merchant with their Report on Compliance (RoC). The merchant can then submit the Report on Compliance to the PCI DSS as proof of PCI Compliance.
PCI Compliance is an effective way to combat payment card transaction fraud.
Merchants should view PCI Compliance as an ongoing process; it’ll continue to morph as technology advances and fraud adapts. Protecting sensitive data from fraudsters not only protects your customers but also protects your reputation, brand, and sales. And protecting your business from fraud helps protect it from expensive lawsuits, insurance claims, and fines.
If you ever find that you are being charged a Non-Compliance Fee, I urge you to call us right away. Our ETA-Certified Payments Professionals can answer any questions and advise you towards steps to become compliant as quickly and painlessly as possible. Likely, it is just that you haven’t filled out your questionnaire!!