Similar to HIPAA for the healthcare industry, PCI compliance is a hot topic for the online retail and business industry. You’re likely aware of what PCI compliance is all about, but let’s go through a quick refresher.
PCI (payment card industry) compliance refers to technical and operational protocol standards for businesses (that accept credit card payments) to follow. These are basically security procedures a business must follow, to reduce the risk of data theft (cardholder information) in the event of a data breach.
For the average merchant website (and even large corporations), being PCI compliant may seem like a burden, with a lot of rules to follow, and fees to pay. The fees for small merchants aren’t actually that much – a small business would typically pay around $300 per year to ensure PCI compliance in a self-audit, and an acquiring bank may pay for the fees as part of a PCI compliance program. A larger corporate enterprise, however, could pay upwards of $70,000+.
Table of Contents
Who needs to be PCI compliant?
If you own a business that takes customer’s credit cards, no matter how small, even if you process only one credit card transactions per year, your business must meet PCI compliant standards. The penalties for not being PCI compliant range from being held liable for card replacements, bank fines or loss of business relationships with banks, law suits, and even state and federal government fines.
So clearly, the cost of being PCI compliant is a small pittance compared to how quickly you can go out of business for PCI compliance violations.
What happens during a PCI compliance audit?
The actual audit process will vary depending on your merchant level (amount of card transactions your business processes annually). There are four levels of PCI compliance:
- Level 1: Over 6 million transactions annually
- Level 2: Between 1-6 million transactions annually.
- Level 3: Between 20,000 – 1 million transactions annually.
- Level 4: Less than 20,000 transactions annually.
If you process less than 6 million transactions annually, you may be able to Self-Assessment Questionnaire (SAQ), instead of a formal PCI compliance audit. The SAQ can be filled out and handed over to your CFO for filing.
There are 12 main requirements of being PCI compliant, for all business sizes, so your main objective is to figure out which merchant level you are, and follow the correct procedures for either performing the SAQ, or going through an official audit with a Qualified Security Assessor (QSA). The above linked blog offers a ton of useful information on the best practices for becoming PCI compliant with as little hassle as possible.
Who is liable for PCI compliance?
In a nutshell, you are. The company is responsible for their own PCI compliance. There are two exceptions.
If you hire a third-party web developer and specifically state in a contract that the website must be designed for PCI compliance standards.
If you incur penalties for PCI compliance violations, you can sue the third-party web developer. In the event that you discover the website is not PCI compliant before any violations are incurred, you can use the contract to have the developer re-design the website, obtain a refund, or hire a new developer.
The other exception is if your hosting company offers payment processing tools for your website, and promises that the tools are PCI compliant. The hosting company may be liable if the tools were not actually compliant.
If the hosting company’s TOS or description of the financial tools promise PCI compliance, and your site is found to be non-compliant after using the hosting company’s tools, you may have grounds to sue them. Your users could also sue the web hosting company if their financial data was compromised.
At the end of the day though, it is ultimately your responsibility to make sure that your website is PCI compliant. Even if it is the fault of a third-party developer or your hosting company, you’ll need to take them to court to make them liable for the financial penalties imposed on your business.