Crime. That’s the main reason for PCI - payment card industry - standards. Thieves target credit cards, and as a result every business that deals with them must conform to PCI rules about accepting, transmitting, and storing data.
The basic standards are fairly easy to understand, but maintaining full compliance can be challenging. And if you don’t get it right, your company is subject to fines, termination of credit card acceptance, lost sales, legal costs, and an uncertain future in e-commerce.
Here are some things to keep in mind.
PCI compliance involves being assigned a merchant level, which is based on transaction volume. Levels have different requirements for ongoing compliance. Visa’s merchant validation levels range from Level One - more than 6 million transactions per year - to Level Four - fewer than 20,000.
The tricky part is that your company can be escalated to a higher level based on factors other than volume. The primary reason for escalation is a breach that resulted in an account data compromise. So if you experience a data breach, get ready. You’ll soon face much stricter compliance standards, even if you always do fewer than 20,000 transactions a year.
Multiple E-Commerce Sites
What if you run more than one site and one e-commerce company? Business owners often wonder whether their PCI level is determined by one site/service/company, or all of their businesses as a group. Don’t assume that each site falls under the lowest level of validation, just because you operate them separately.
It’s based on your taxpayer ID. So if you have everything under the umbrella of one company taxpayer ID, your PCI level will be based on the credit card volume associated with it: all of your operations’ transactions added together.
Compliance is a Moving Target
Another challenge is the ever-changing nature of validation. Just because your company was in full compliance last year, or last month, or even yesterday, doesn’t mean it is at this moment. Compliance is an ongoing process.
This was illustrated in the case of Heartland Payment Systems (HPS), which gained world-wide notoriety for a data breach that affected PCI compliance. HPS paid an outside firm to guarantee remaining in full PCI compliance at all times. Unbeknownst to HPS or the outside vendor, malware infected its corporate network and made a leap to its payment processing network.
HPS was immediately delisted by Visa and Mastercard, saw its stock fall 78%, and lost 5,000 merchants. Its total loss was $170 million.
In the end, HPS worked with the regulatory authority to tighten its security processes. The company developed an incident response plan based on PCI compliance. And good news: Albert Gonzalez, leader of the hackers responsible for the breach, received the longest sentence ever given for cybercrime.
No Third-Party Guarantees
As the example above illustrates, you can’t rely on any third-party vendor to guarantee meeting PCI compliance. It’s important to note that you also can’t shift blame to a third-party payment processor. You are ultimately responsible for your own company’s compliance.
Failure is forever
Unfortunately, if you ever fall into noncompliance, it can affect your business forever. Not only will you be issued fines of $5,000 to $100,000 a month until the issue is resolved, you’ll also face additional fees from the payment brands for the life of your business. The fees are given as a penalty, and as a way to compensate card issuers for the risk of doing business with you.
Failing PCI compliance - particularly if it leads to card processing termination - can also affect your company’s credit rating, banking relationships, and loan eligibility. In fact, banks may charge you for the forensic research required to handle your account.
It also affects your reputation in the industry and your customers’ long-term view of the company. Avoid falling into PCI noncompliance by following the best payment practices in e-commerce. A full-stack ecommerce solution is the best way to stay compliant. Click here for a free demo today!