The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.
What is PCI DSS?
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
What is PCI Compliance?
The PCI Data Security Standards (PCI DSS) includes general practices, such as restricting cardholder information and the need for creating safe, non-default passwords, as well as more in-depth practices like encryption and the use of a firewall.
The PCI Security Standards Council is a global organization formed by major credit card companies, including Visa, Mastercard, Discover, and American Express.
If you operate an e-commerce site, PCI compliance is mandatory. It is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing; it applies to any business that allows credit card payments.
With PCI, everything is about reducing the attack surface. For an ecommerce site, this specifically involves the Card Data Environment (CDE) – the manner in which you handle credit cards on your site. The requirements as set forth by PCI DSS.
Small merchants are not excluded from these requirements. Unprotected ecommerce websites are prime targets for data thieves. If sensitive customer data or cardholder information is stolen from a website that you’re responsible for, you could incur penalties, large fines, and even lose the ability to accept payment cards.
What Happens If You’re Not PCI Compliant?
If a merchant is found to be non-compliant with the PCI-DSS, there can be a variety of penalties & consequences ranging from fines, loss of time, and reputation damage.
1. PCI Non-Compliance Fines
Non-PCI compliant websites can suffer hefty penalties by payment industry regulators if customers experience fraudulent transactions. The average cost of a data breach for a small business is $86,500, with enterprise organisations paying 4 million dollars.
2. GDPR Regulation
Under GDPR, any business that experiences the breach of EU residents’ personal information has 72 hours to notify supervisory authorities or risk facing heavy fines. This regulation joins a number of US federal and state laws which hold organisations accountable for the security of customer data.
3. Suspension of Credit Cards
Perhaps worse than fines, the ability to accept credit card payments may be revoked. The PCI standards are created by the major credit card companies, and this is their defense against irresponsible merchants. If a data breach occurs for your ecommerce store, the PCI council can revoke the privilege of using their payment cards.
4. Mandatory Forensic Examination
Merchants suspected of a data breach are required by the PCI-DSS to undergo a mandatory forensic examination, which requires hiring professionals and conducting a time-consuming investigation. A small business examination may cost between $20K to $50K.
5. Notification and Credit Monitoring
If a compromise of financial information is suspected, a number of states require the merchant to notify customers and inform them of the breach. Merchants may also need to produce up to a year’s worth of credit monitoring or counselling services to affected customers.
6. Liability for Fraud Charges
Lawsuits may claim liability on merchants for security breaches. It is important to emphasize that protecting your customer’s sensitive information is your responsibility as a business owner. That is why having a secure website is vital.
7. Credit Card Replacement Costs
Card issuers may require merchants to pay the cost of reissuing credit cards, which includes shipping, activation, and communication to the customer. These fees can range from $3 to $10 per card.
8. Reassessment for PCI Compliance
In order for a website to accept credit card transactions again, a complete PCI reassessment by an external Qualified Security Assessor (QSA) must be performed.