Knowing how payments come in is key to managing PCI compliance
To become PCI compliant, you first have to understand how you are taking payments today. This is the most crucial step you will take before reviewing the "How do I become PCI Compliant?" checklist.
For all of the different ways you are taking payments, ask the following core questions:
How is the cardholder data collected? How is the cardholder data processed? Is the cardholder data stored?
The key to the first question is whether the cardholder data is collected on a PCI DSS Level 1 certified software vendor or third-party vendor. If the answer is no, unfortunately, you will not be able to achieve PCI compliance, regardless of how “secure” a solution may be, PCI requires vendors collecting, processing and/or storing cardholder data to become PCI DSS certified.
If you are collecting cardholder data on your servers, then the scope of PCI is broader than if you were using a certified third-party vendor. If the answer is yes, to question 1, then question 2 and 3 are usually taken care of. Note, if you are storing cardholder data, compliance is referring to storing and processing the full cardholder data. Typically if you are using a certified third-party vendor, you will be storing a token for repeat purchases.
How do you become PCI compliant?
Step 1: Analyze your compliance level.
Step 2: Fill out the self-assessment questionnaire.
Step 3: Make any necessary changes.
Step 4: Fill Out a Formal Attestation of Compliance.
Step 5: File Your documents.
What happens if you are not PCI compliant?
Merchants ignoring the growing adoption of PCI DSS do so at their own risk as the penalties for non-PCI compliance can be devastating. The fines from the card brands are high, ranging from $5,000 to $100,000 per month.
The acquirer will pass these fines onto you, and will typically encourage compliance by charging a fee, which is usually between$10 per month to $1,000 per month or more, depending on the circumstances. To make matters worse, credit card companies reserve the right to revoke a merchant’s right to process credit card transactions entirely for non-compliance to PCI. Finally, merchants can suffer reputational damage, lost business and reduced confidence and trust amongst partners and customers.
One last thing to remember: PCI is not just a once-a-year event. While PCI compliance introduces best practices and processes for your business, fraudsters are always on the prowl; adapting their ways and adjusting their methods, so stay vigilant out there every day.