If your business accepts debit, credit and prepaid cards as payment of goods and/or services, then you need to be aware of how important it is to stay PCI compliant.  

What is PCI Compliance?
In September 2006, the five major credit card brands... Visa, MasterCard, American Express, Discover and JCB (Japanese Credit Bureau)... created the Payment Card Industry (PCI) compliance standards.  PCI compliance standards are a set of strict requirements aimed at managing and improving the security associated with transaction processing using a payment card.  All members of the payment card industry must comply with these standards if they want to accept credit cards from their customers.

PCI compliance applies to all companies, organizations or merchants that store, process or transmit cardholder data... regardless of the size of your business or the number of transactions you process each year.  If you are a doctor's office, auto body shop, retailer, restaurant or any other establishment that accepts credit cards, PCI compliance is mandatory.  Fines or penalties for noncompliance can be devastating to a small business. 

What's Necessary to Stay PCI Complaint?
The PCI Data Security Standard (DSS) is a set of 12 general requirements covering six goals, with more than 200 specific sub-requirements.  If this sounds like a lot to handle and implement to stay compliant, it is.  The chart below comes from a PCI compliance white paper from First Data that outlines what merchants need to do to better protect cardholder data.

PCI compliance

The Verizon Business RISK Team reports that payment card breaches were at the top of the list of all reported data breaches in 2008, far outnumbering other data-type breaches. Even more startling is that the fraudulent use of stolen card data was confirmed in 83 percent of the breach cases investigated by the Verizon team.  Download a copy of the Verizon Business RISK Team's 2009 Data Breach Investigations Report.
 
Isn't There an Easier Way to be PCI Compliant?
Is your head spinning just reading about all these maintaining, monitoring and testing requirements?  If this sounds like a lot of work to be able to accept credit cards and stay in compliance, you're right... it is.  The upfront costs associated with protecting your business against credit card fraud and meeting the PCI compliance standards have skyrocketed over the past several years. 

The good news is you are not alone.  The burden of staying PCI compliant doesn't have to fall completely on your shoulders.  As a merchant or company accepting credit cards, your business is just part of the transaction process.  Other organizations like payment processors and card networks have a vested interest in implementing and making enhancements to data security while maintaining PCI compliance. 

Make sure your credit card processing vendor is staying on top of PCI compliance.  It's not a once and done process.  It requires continuous monitoring, maintenance and evaluation.  Many of the breaches that have occurred happened because the vendor was careless in their procedures.  They may have been compliant at the time of an audit, but did not stay in compliance and relaxed their monitoring processes.

All trademarks, service marks and trade names referenced in this material are the property of their respective owners.