By the time you’ve learned what PCI compliance means – nevermind learning what’s actually required for your business to become PCI Compliant – you’ve learned more than a human brain is currently capable of holding.
If you’ve studied on it some (mm hm,) then I feel your pain. If you accept credit cards as a payment option in your business – especially if you accept credit cards online – the PCI DSS (Payment Card Industry Data Security Standards) requirements must be met. These standards protect your customers, and make no mistake, they protect the merchant, too. Not only does it protect your customers from credit card theft, identity theft – all those nasty things – but it protects the merchant from thousands of dollars in possible penalties, lawsuits and a world way beyond simple aggravation.
The banks themselves are fined for violations, but as stated in the PCI Compliance Guide, “the banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.” This can be deadly to a small business.
Is it a law? Not strictly speaking. It’s not federal law – not yet anyway – but there are some state laws already, and your merchant provider or acquiring bank is likely already requiring it. Even if you use 3rd party processors (which would include PayPal, WorldPay, 2CheckOut), you are still required to be compliant. Still, the work and cost to achieve compliance is much easier to deal with.
Last year, I went through an agonizing week learning about PCI compliance. Learning that my little business was going to require thousands of dollars in security scans, learning that I was in arguably the worst possible group (meaning, the compliance was hardest to meet), attempting to fill out a form that requires a PhD in Computer Science and Gobbledy-Gook to understand (it is a thank-you-very-much
49 page form 82-page form*), and the worst of it: vacillating back and forth between all this and shutting down my business.
*Version 3.0 of the SAQ-D form released in February of 2014 is an 82 page epic. It’s got pathos, humor, romance, special effects, and a heart-thumping score. Coming to an IMAX theater near you… PCI Compliance: The Movie. <— I jest, of course, though PCI Compliance is no joke and an 82 page form is NOT in the least bit funny. Hence the irony. 🙂 We now return you to this semi-regularly scheduled blog…
I don’t mind telling you, I was a wreck, but with a lot of perseverance and digging into alternatives, merchant accounts and payment processors, I successfully took steps to insure my own PCI compliance. If you do business with me, you may rest assured that your data and personal information is absolutely secure.
And I still have the headache to prove it. Mmm hm.
There is a ton of information out there on the internet about PCI compliance, but I recommend you go to the horse’s mouth first. Visit The PCI Security Standards Council at http://www.pcisecuritystandards.org/