The ins and outs of PCI Compliance can sound complex and confusing, especially if you are just opening a business or are in the midst of transitioning your business to accepting credit cards. Regardless, if you are reading this blog, the most important takeaway is that PCI Compliances is NOT optional, PCI Compliance is mandatory. In fact, any business (large, small, and everywhere in between) that takes credit and/or debit cards, is required to abide by the PCI DSS (an abbreviation for Payment Card Industry’s Data Security Standard). While it may appear confusing at first, it essentially covers the “collection, storage, transmission, and use of customer and account information embedded in these cards” (Connolly & Haley, 2008).
When a business accepts credit/debit cards, the business has a responsibility to ensure PCI Compliance throughout its operations, from the highest levels of the organization to the lowest. The penalties that a company can face for failing to be PCI compliant can carry a heavy to toll – both legally and in regards to the publics’ perception and trust (but we’ll address these consequences another time). For the moment however, it is enough to recognize that PCI compliances is necessary and compulsory.
Being compliant requires certain security measures electronically, such as having data encryption, but there are others. Apart from these precautions, PCI Compliance additionally extends to any data that exists in paper form, which means that “all data, regardless of format, used throughout the organization must be safeguarded” (Connolly & Haley, 2008). It may come as a surprise that even in the technologically driven age we are in, there are still many PCI Compliance failures resulting from “manual processes, poor business practices, insufficient training, lack of policies, human misconduct, and sometimes just plain staff carelessness” (Connolly & Haley, 2008).
This is why it is important to enforce an environment and build a culture that is educated about and involved in upholding PCI Compliance within your business. Sometimes the third-party that you select to handle your merchant services/credit card processing will be able to assist you – not only in explaining PCI Compliance but also in giving you tips on how to go about auditing your compliance. Whether you personally setup your own credit card processing or rely upon a third-party, the liability remains. This is why experts stress that PCI Compliance is an “important business function” (Connolly & Haley, 2008), because in the end, PCI Compliance is anything but optional.
Connolly, D. & Haley, M. (2008). PCI DSS Compliance: Just Whose Responsibility is it?. Hospitality Technology. Retrieved from https://hospitalitytech.com/pci-dss-compliance-just-whose-responsibility-it