Is Your Server PCI Compliant?
Knowing whether your server is PCI compliant is essential to keeping your business in good standing. What is PCI and why do you have to be compliant in it? Here are the answers to some of the most common questions about PCI compliance.
PCI stands for Payment Card Industry, and the industry has some requirements that are in place to make sure every company that processes, stores, or in any way transmits credit card information keeps a secure electronic and physical environment. This standard applies to virtually any company that has a merchant ID.
To make sure merchants kept up with good security standards with all the different ways they were starting to process credit cards, the PCI was formed in September of 2006. Its purpose is to overlook the continuing evolution of credit card payments in both the physical and electronic environments, and update standards of security for merchants that work with those cards. PCI is owned and operated by the PCI Security Standards Organization, which is a group that was formed by a committee made up of representatives from all the major credit card companies (MasterCard, Visa, AmEx, Discover, etc.). However, the PCI Security Standards Organization only oversees the current best practices for credit card security. It is each individual credit card company that is responsible for making sure merchants comply with them.
The standards of PCI apply to any merchant that accepts credit cards or stores credit card information, regardless of the number of credit cards with which they work. Even if a company only uses the credit card information of one client, they are still responsible for following the standards of PCI and being compliant with them. These standards also apply to merchants who take debit cards issued by the major credit card retailers.
What are Compliance Levels with the PCI?
There are four levels of compliance with the PCI. Any merchant that is subject to PCI regulations will be in one of these four levels. The levels are based on the merchant’s number of Visa transactions over a year. The Visa volume includes credit cards and debit cards, whether pre-paid or connected to a bank account. The volume applies to the “Doing Business As” (DBA) of the company; if a company has more than one DBA, then the volume of Visa transactions across all DBAs are taken into consideration to determine the merchant’s compliance level. The higher the number of Visa transactions, the higher level the merchant falls into, and the stricter their compliance requirements become, in order to minimize the risk to Visa.
Other Important PCI Information for Merchants
It should be noted that even merchants that use third party processors must be in compliance with PCI regulations. Using a third party processor minimizes the risk to the company, and means the company doesn’t have to put as much effort into compliance, but they cannot ignore PCI entirely. It still applies to them.
Businesses that have more than one location must validate their PCI compliance one time each year for each location. They must also send in quarterly network scans done by a Security Standards Organization approved vendor.
Having an SSL certificate for a merchant website will not make a business compliant with PCI, as the certificate does not protect the website from hacking and other attempts at intrusion to its secure servers. SSL certificates that provide high assurance are considered a first level method in PCI compliance for merchants doing credit card business online, but having these high level certificates is just one item of many in the overall PCI compliance checklist.
Are There Penalties for Non-Compliance with PCI?
Yes, there are penalties. However, they are issued at the discretion of the credit card brands that are in charge of PCI. A business that has minor compliance violations for the first time, with no prior history of them, may not have any penalty imposed. It all depends on what the credit card companies decide to do. The penalties for non-compliance are financial ones, with average fines ranging between $5,000 and $100,000 per month until the PCI violations are corrected. The penalties are imposed on the banks that process the credit card transactions for your business, but the banks will typically eventually pass those fines down to your business. These fines may cause your processing bank to decide to stop working with your company, or to impose higher transaction fees on your business. If your business is a small one, such fines can put you out of business. This is why it is important to read your agreement with your merchant processing bank, because that agreement will let you know what your business’s exposure is if you are found to be in non-compliance with PCI.
Is PCI a Law?
No. However, it is something you must follow if you are in business and want to accept credit card payments. Non-compliance with it may jeopardize your ability to accept credit cards in the future, as no banks or credit card companies will want to work with you due to the exposure to data breaches and bad publicity it brings them.
How Do You Know if Your Business is PCI Compliant?
Doing quarterly vulnerability scans of your servers will let you know if the security standards of your servers are up to PCI standards. You can also get an auditing company to look over your servers and determine your level of compliance based on the number of Visa transactions you do each year. An auditing company like I.S. Partners, LLC is the perfect choice to conduct such an audit on a one-time or regular basis for your company. With professional auditors who are experienced at working with companies of all types, I.S. Partners, LLC will come in and get the job done without disrupting your business, and are practically invisible in their work. You and your employees will likely not even notice they are there, and your compliance status will be assured for your peace of mind and company profit. For more information about our services, call us at 215-675-1400 or request an online PCI Quote!