Why PCI Compliance Exists

You may have been assessed a $30 monthly penalty for failing to maintain a PCI Compliance Certificate with your credit card processor.  That $30 does not go to your processor but rather to the acquiring banks who assess the fine to your processor, such as Chosen Payments who then passes it on to you, the merchant.

In 2006, an independent body was created by Amex, Visa, MasterCard, Discover and JCB to effectively try and reduce credit card fraud caused by the poor handling of credit card information by merchants and their employees.  On a grand scale, think of Target and its data breach of nearly 40 million credit card numbers from their internal computer servers.  This should paint a pretty big picture of why the need for PCI compliance exists.

 

In the majority of merchant related fraud cases, merchants were largely responsible for the leaks of credit card data by improper handling of credit cards by employees or inefficient security walls and protection in their servers.  Merchants are provided card numbers, expiration dates and the magic three or four digit security codes.  If written down, they become a license to steal by anyone who happens upon them.  This is what makes PCI compliance so important to the credit card processing industry as well as card issuers.

In its proper acronym, it is called PCI DSS.  That’s Payment Card Industry Data Security Standards.  A simple Self-Assessment Questionnaire (SAQ) is completed by the merchant on an annual basis and then submitted to your processor to insure that not only are you handling credit card numbers with sensitivity but also making sure your computers cannot be hacked by an outside source if you store credit card information on your servers as Target does.  It’s simply an annual review that reinforces and reexamines the way you do business with credit cards.

 

As a merchant, you are responsible for safeguarding your client’s credit card information from the time you receive it.  Once a credit card number has been entered into your computer system it should be stored in an encrypted format so employees are only able to see the last four or five digits of the card number but never have access to the entire number again.  Using this same principle, a credit card number should never be written down on a paper for later use.

Developing policies that prohibit the transmission of credit card information by email or text messaging with your employees can further prevent data breaches from occurring.

 

The PCI Compliance certificates help prove that you accept credit cards with proper concern for security and storage handling. Credit card fraud affects nearly thirty two million people each year and your efforts as a merchant can help reduce the chance of compromising your customer’s information.