“PCI compliance” might sound boring and technical, but it’s a major focal point for any business that handles online credit or debit card payments. In 2019, that’s most businesses!
The internet has completely changed the way we shop and transact — where we used to go to brick and mortar stores in order to spend cash or swipe a card in exchange for the goods we want, this entire experience can now happen from the comfort of your home.
What is PCI Compliance?
Payment card industry (PCI) compliance refers to the standards that companies have to stick to in order to process payment information online. These best practices are collectively known as the Payment Card Industry Data Security Standard (PCI DSS), and they were created by the PCI Security Standards Council (PCI SSC). This set of best practices works to increase controls and protection around cardholder data while simultaneously reducing credit card fraud.
It’s a vital consideration for any company engaged in e-commerce. Not only do these businesses want to protect their customers’ data, but they enact a level of security that will more readily protect their reputation. In the wake of a data breach or other security compromise, a company might take all the necessary steps to patch customer relations and restore any financial loss, but the public relations blowback of having to do so can be devastating.
Compliance requirements differ for businesses handling a large volume of transactions versus a small volume (“level one” for high-volume all the way to “level four” for lowest volume), but these standards are in place for all businesses that process, store, or transmit credit card data and other sensitive information. These companies have to validate their compliance every year or every quarter by engaging a certified assessor or company qualified to determine that they’re handling transactions appropriately.
It’s too important to ignore — those companies that shun PCI compliance not only run the risk of cyberattack by malicious criminals but can also be on the hook for paying pricey PCI noncompliance fees.
Why is PCI compliance important?
PCI compliance reduces the risk of debit and credit card data loss while signaling to customers that a company’s website is secure. It also reduces the chance of those customers becoming victims of identity theft. It’s important for the same reason that choosing a strong email password is important — personal information is worth protecting. Even first-time internet users have a strong and established sense of this.
This PCI standard works to protect merchants as well. As a demonstration that they’re acting in customer interest, these companies are far less likely to find themselves at the center of a public relations disaster stemming from malicious cyberattacks that exposes customer data. PCI compliance is nothing less than a set of established best practices to prevent situations like this from occurring.
And the bad guys have clear financial incentives to make them occur. The FBI’s latest annual Internet Crime Report reveals that cybercrime cost businesses over $2.7 billion in 2018.
One category of attack sees hackers inject malicious code into an e-commerce website such that it captures valuable customer data without anyone knowing. The category of phishing involves attackers tricking people into willingly handing over their login credentials or other sensitive data, like credit card numbers and security codes.
As attacks like these continue to grow, the need for businesses to be PCI compliant is clearer than ever. PCI compliance represents a vote of confidence that a business is mindful in how it handles data.
How PCI compliance affects your business
If you accept credit card payments online, you’re subject to an agreement that your business will follow all PCI data security standards. Breaching those standards leaves you vulnerable to fines, and shunning those standards distances your business from credit card companies and their payments infrastructure. In other words, there is a direct connection between the overall health of your business and its compliance status.
In simplest terms, compliant businesses are far less likely to be breached. A company that doesn’t know about this standard likely isn’t paying much attention to its own cybersecurity and payment processing methodology, so it becomes a liability for customers to transact with them. PCI compliance is a badge of honor that figuratively says “we’ve got the paying customer’s back.”
Consequences of PCI Non-compliance
There are numerous examples of corporate data breaches that could have been avoided if the affected companies were following these standards. Home Depot learned this the hard way when hackers successfully infected its point-of-sale systems with malware in 2014, stealing credit and debit card information from millions of customers. It would eventually come to light that the company was using outdated antivirus software that couldn’t effectively identify unusual network behavior. PCI DSS standards furthermore call for routine vulnerability scans, but employees revealed that multiple customer information systems weren’t assessed.
If Home Depot was able to demonstrate PCI compliance and the breach still occurred, then it would have had access to help and resources to solve the problem. But this wasn’t the case: the whole ordeal ended up costing the retailer $19.5 million in the form of a data breach settlement. If it had paid attention to PCI compliance, it would have been business as usual and it would have gotten to hang on to all that money without suffering the embarrassment of being compromised.
It’s a valuable reminder that all companies, regardless of their size, are subject to PCI compliance standards. Credit card payments and electronic transactions seem here to stay, and businesses are on the hook, both socially and legally, to protect this customer data.
That’s what PCI compliance is all about — it saves headaches and trouble for everyone involved in a transaction, so it’s always in a company’s interest to pursue it.