Two Ways PCI Compliance Affects Your Bottom Line
The Payment Card Industry Data Security Standard – “PCI-DSS” or “PCI” is the industry’s framework to shield your computer network against compromise by hackers so that credit card data is not stolen.
The PCI data security standard applies to all businesses and organizations that accept credit cards – regardless of size or processing volume. Yes, even small businesses are required to be PCI compliant.
There are two key activities that are required for PCI-DSS compliance. They are:
- Annual completion of the Self-Assessment Questionnaire (SAQ) related to the payment card acceptance environment of your business. The complexity of your credit card acceptance environment will dictate the complexity of your questionnaire. As a result, there can be up to 350 requirements or controls within the SAQ that applies to your business.
- External vulnerability scans of your business or your e-commerce website.
Two Big Reasons for Becoming PCI Compliant
There are two major constituents related to PCI compliance are:
- Your business
- Your customers
Let’s start with your business. Falling short of the industry standard for data security puts you at a greater risk of a data breach. In fact, 43 percent of data breaches hit small businesses. If there is a compromise of sensitive payment card data at your business, there are various types of negative consequences that potentially can apply. This is particularly true if your business is found to be non-compliant with PCI standards.
- Mandated computer network forensic exam at your cost
- Web development or IT costs to find or fix the problem
- Fines from Visa, Mastercard, Discover, and AmEx
- Costs of getting your environment PCI compliant
- Possible legal fees or regulatory fines
- Civil suits from impacted customers
- Reputation damage
Something else for you to consider is that if you operate your business below PCI standards, you most likely are paying a non-compliance fee every month to your credit card processor. These fees can add-up quickly and hit your bottom line pretty hard. A popular restaurant chain here in in the Madison, Wisconsin area, Rocky Rococo’s Pizza, had this same issue. The owner of the chain recently shared his experience on eliminating non-compliance fees. It’s a good article to check out.
The next constituent is your customers. When it comes to them, it is all a matter of trust. Customers use their credit or debit cards to pay for goods and services at your business. It is quick, convenient, and safer than toting around a wad of cash.
By using their cards, they are trusting that their information will be safely handled by your business. Nothing will erode their trust faster than a data breach. The last thing you want to do is have to notify your customers that their data has been compromised. Customers who feel they can no longer trust you are customers who will be reluctant to buy from you again.
Becoming PCI Compliant
For these reasons, it is important that you validate your PCI compliance with your current credit card processor. Most credit card processors have PCI compliance programs.
At Wind River, we recommend a multi-layered approach to help businesses understand their level of risk. Specifically,
- Add point-to-point encryption, which may reduce your PCI scope.
- Include added security features to protect against a breach or fraud.
- Consider a breach protection policy.
Regardless of whether Wind River or your current payment processor helps you with PCI, the best approach for your business is based on security, volume of customers, mobile needs, technical requirements, and other nuanced needs.
Assistance with the Self-Assessment Questionnaire.
The required SAQ can get a bit technical. To simply this process, Wind River uses an online stencil that can answer many of the questions for you. Your payment processor may have something similar. If so, definitely take advantage of that. Anything that will reduce the complexity of the SAQ is helpful.
Should the worst happen, we always recommend external assistance to help you with the breach resolution process. If you have trouble getting help from your current provider, Wind River has a great deal of experience with PCI compliance and breach resolution. We know where many of the landmines are hidden and best practices to expedite navigating the process. Plus, we’ll be your advocate with Visa, Mastercard, Discover, and AmEx.
Breach Protection Coverage
There’s an old adage that no one cares about insurance until you really need it. Well, in our 20+ years in the payment processing business, we have seen many customers that have “really needed it.” A data breach costs businesses an average of $161 per record accessed. The costs can get huge pretty quickly. Because the stakes are so high, we always recommend breach protection coverage. It may save your business one day.
Lastly . . . Don’t Procrastinate!
When it comes to the security of your customers’ credit card and other personal information, don’t look the other way while hoping for the best. If your current processor isn’t providing you with assistance, your business may be at risk. Feel free to reach out to me directly. We’re PCI experts at Wind River and can help guide you in this process.