PCI Compliance is required for any company or entity processing and transmitting credit card data. Unfortunately, it’s a moving target for the IT Departments tasked with staying compliant. Good news though, you can use a PCI Compliance Service Provider to help stay on top of this daunting task.
What Is PCI Compliance and Why Is It Necessary?
In one of our previous blogs, 10 Things to Know About PCI Compliance, we discussed the importance of obtaining and maintaining PCI Compliance. Basically, the PCI Standards are the requirements that companies (retailers in particular) must meet to safely and securely accept, store, process, and transmit cardholder data during credit card transactions. This helps companies to ensure protection for their customers from data breaches and fraud.
Who Should Follow PCI Compliance Regulations?
PCI Compliance is mandatory for any company that stores, processes and transmits credit card data. Industries impacted include retail, healthcare, utilities and state and local governments as well as any other entities that process credit card transactions.
What Does PCI Compliance Cost?
Requirements for compliance can range from security policies, to security updates to the removal of cardholder data from payment processing systems. The higher the annual number of credit cards transactions processed per year, the more stringent the compliance requirements that need to be followed. The cost for compliance can range from approximately $1,000 annually to over $50,000 annually.
Being Outside of PCI Compliance
Companies, particularly retailers that do not comply with PCI standards could be at risk for data breaches, data theft, fines, card replacement costs, expensive forensic audits, investigations into their business, brand damage, and more. The biggest penalty of course, will be the permanent loss of customers due to a data breach and/or theft.
Obtaining PCI Compliance though is just the beginning. Typically, companies that experienced breaches were not compliant at the time of the breach.
Compliance Is a Moving Target
PCI Compliance changes from moment to moment. Every time a new potential weakness is identified in payment processing systems a security patch must be installed in all of the relevant payment system equipment. Something as simple as a failure to install the latest security patch can throw you out of compliance.
Once a company has obtained PCI Compliance, it is their responsibility to maintain that compliance. They are responsible for:
- Installing all security patches
- Ensuring that the payment processing systems are continuously secure
- Maintaining that compliance at all times.
That’s a tall order and IT departments have their hands full ensuring that all security updates are implemented.
Using a PCI Compliant Service Provider
One way to help reduce this burden is to use a PCI Compliant Service Provider. The following is the PCI Security Standards Council (SSC) definition of a service provider:
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data. (Source:www.pcisecuritystandards.org)
Service Provider examples include:
- Companies that design and install IT Infrastructure
- Data destruction entities
- Providers of managed security services
- Outsourced application development firms
Level 1 PCI Compliance
Service Providers that are PCI Compliant have successfully completed a PCI Level 1 assessment by utilizing a Qualified Security Assessor. Level 1 PCI Compliance is the highest level of compliance that companies can obtain. It is the required level of compliance for retailers that process greater than 6 million credit cards transactions annually. Keeping Level 1 PCI Compliance also requires an annual assessment by a Qualified Security Assessor.
The value provided by Level 1 PCI Compliant Service Providers is that they offer a higher level of security to their customers, and make it easier for them to obtain compliance and to stay compliant.
The cost of not being PCI Complaint can be frightening, especially if there is a breach of customer data. Using PCI Compliant Service Providers can help make the difficult and time-consuming process of obtaining PCI Compliance faster, easier and less expensive.