Fundamentals of PCI Compliance

PCI Compliance

Recently, we talked about the risks every business runs from credit card fraud and fact that they need to make sure they are PCI compliant or face significant penalties. We thought it would be helpful to dive in a little deeper in this email to make sure you understood how PCI works.

PCI-DSS (Payment Card Industry Data Security Standard) is a set of federal standards designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. In simple terms this means that any consumer information (name and credit card details) a business captures during a transaction are held in a secure environment and protected from theft.

PCI-DSS applies to ANY organization or merchant, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Again, in simple terms this means that if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Businesses are classified into four levels based on the number of transactions they handle each year. Requirements increase based on the number of transactions the business processes and fines are too. Most small businesses fall into levels 3&4, but card processors who manage compliance can arbitrarily assess penalties regardless of their level.

Businesses found to be out of compliance with PCI may be subject to fines by the entity they use to process their credit card transactions. This could be a bank or credit card processor. Businesses that have a data breach where credit card data is actually stolen are subject to much larger fines and fees from the banks, card brands.