Small businesses accepting credit card payments should be concerned about PCI compliance. A security breach can easily lead to big fines, a huge loss of customers and the elimination of processing payment card transactions. Non-PCI compliant businesses can also be held liable for the cost of chargebacks, of reissuing cards and for providing monthly monitoring for the hacked accounts.
One confirmed security breach for a Level 4 merchant (typically a small business) can result in having to meet Level 1 compliance standards. PCI compliance, also known as Payment Card Industry Data Security Standard (or PCI DSS), is a group of requirements mandating all businesses utilize a secure environment to process, store and transmit credit card information. PCI DSS is managed by an independent organization consisting of representatives of major credit card brands.
There’s no squirming out of PCI compliance; small businesses which process less than 20,000 transactions per month are required to meet specific PCI compliance standards. Even if a small business processes just one credit card transaction per year the business is obligated to be PCI compliant. If any part of a small company’s payment process contacts secure credit card data, the company is required to meet PCI security standards.
A study by Bank of America shows small business merchant accounts are the highest security risks; many small businesses feel they can’t afford to place a stronger emphasis on security or simply don’t have the IT expertise to enhance security. Visa Card reports over 80 percent of its non-compliance issues came from level 4 merchants.
A common question among small business owners who operate multiple locations is whether each location is required to comply individually. It’s not necessary, if each location operates and processes payment card transactions using the same taxpayer ID or EIN. These small businesses only have to validate their PCI compliance once a year and all locations are generally covered by it. A potential requirement includes passing quarterly network scans by PCI SSC approved scanning vendors and this typically needs to be done for only one location.
One of the main reasons for implementing PCI standards is many small businesses take security too lightly. For example, some small business owners use their main server for a variety of risky activities such as surfing the Internet, playing games, using chat software or utilizing person-to-person downloading utilities – all of these activities are risky for businesses which store vital credit card information and personal information on their servers. These activities can result in theft of customers’ financial and personal data.
The cost associated with non-PCI compliance is substantially higher than the cost of meeting PCI compliance standards. The PCI standards consists of common sense rules. Non-PCI compliant small businesses risk a huge loss in terms of time and money when security is breached.
Small businesses are required to meet PCI Compliance standards. The huge cost of a security breach can severely harm a small business. To learn how to obtain a reliable PCI Compliance program visit PCI Free.