PCI Compli… what?


PCI Compliance: If reading this reminds you that you’re due for a nap right about now, I wouldn’t fault you, but taking a snooze on PCI Compliance isn’t just about security risks and regulatory jargon, it’s more about your money than anything else. Thousands of merchants are wasting their money on PCI compliance every single month because — let’s be honest — it sucks to fill out the paperwork.

If you’re new to PCI, keep reading, maybe we can get a few of your benjamins back in your bank account.

If you’re a PCI pro, at the bottom I have a section called Cut to the Chase (hint: you should find a gateway and a payment processor that can facilitate your PCI and underwrite your business properly so you avoid fees and get better service. And yes, before you ask, we do that and we’d love to help you! : D

Carrying on…

PCI compliance refers to the security standards established by the Payment Card Industry Security Standards Council (PCI SSC) to safeguard credit card transactions and the information of cardholders. The major credit card companies – Visa, Mastercard, American Express, Discover, and JCB – created the PCI Council to ensure the protection of customers’ credit card information and prevent fraud and data breaches.

Achieving and maintaining PCI compliance is important for businesses that accept credit card payments (which is nearly every business). PCI compliance indicates that a business has implemented security measures to protect their customers’ credit card information, such as encrypting data, regularly testing security systems, and implementing strong access controls.

The PCI DSS (Data Security Standard) outlines requirements that a business must meet to achieve compliance, which range from installing firewalls to tracking and monitoring access to data. Compliance with these standards is deemed essential to safeguard against data breaches and fraud, and to avoid penalties, fines, and damage to the business’s reputation – and that last part is the kicker – penalties and fines. PCI compliance has become so cumbersome for many businesses that they all but skip the process just to avoid the hassle of all the paperwork – that doesn’t mean the business isn’t secure or that cardholder data is in danger – it simply means that the business owner took a look at an already busy calendar and decided that 3 hours of PCI paperwork wasn’t the priority. Can we blame them?

PCI compliance fees are generally broken into 2 camps:

Camp 1. Fees for being compliant. These are fees paid by every merchant (generally $5-$15/mo.) and they are partly what supports the PCI SSC and keeps the requirements and standards operating (some providers included these fees at no cost to their merchants, but everyone pays for them). These are legit and just because your provider shows it on a statement, doesn’t make it a “junk fee”.

Camp 2. Fees for being non-compliant. These are much higher (usually $30-50/mo.) and are charged for 2 reasons – the first is your business really isn’t compliant and cardholders shouldn’t shop with you. The other, is that you never completed the paperwork, which is sometimes hundreds of questions, and therefore your business, whether secure or not, is labeled “non-compliant”. This is avoidable and your gateway and payment provider can and should help you fix this problem.

So, achieving and maintaining PCI compliance is complex and challenging, especially for smaller businesses with limited resources. This is why the process needs to be simpler. We recommend businesses work with a gateway and payment provider that offers a PCI DSS-compliant gateway. This gateway includes all the necessary security features to meet the PCI DSS requirements and puts the business’s compliance status, as we would say in PCI jargon, “out of scope” – it means the gateway does the heavy lifting.

Partnering with a gateway provider that offers a PCI DSS-compliant gateway can help businesses save time and resources while maintaining compliance. Gateway providers can assist businesses in achieving and maintaining PCI compliance, providing guidance and support as necessary. They can also offer additional features such as fraud detection and prevention, which can further enhance the security of credit card transactions. This process saves money from potential security issues and saves money every single month from fees. Win-win!

Friendly Reminder: when you pick out a gateway and payment partner, there are lots of considerations beyond PCI and security – payment methods, platform stability, redundancy, account and technical support, features, software integrations, price, etc.

Cut to the Chase:
1. PCI compliance is necessary and important, we all play a part in keeping information secure.
2. PCI compliance isn’t built for small-medium-sized businesses. It’s overly complex and burdensome in both time and fees.
3. Compliance fees are legit and every merchant pays something, even if their provider comps it. Non-compliance fees are costly and avoidable.
4. Gateway and Payment providers can help by letting the gateway do the heavy-lifting and getting a business’s PCI status “out of scope”.

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *