Regardless of the type of business you own, if you accept credit cards then you need to know about PCI compliance. You may have heard the term before and know that it’s important to your business but still have more questions than answers on the subject.
First of all, understand that you are not alone and we can help. TransFirst® has been in business since 1995, providing information, education and support with our PCI compliant merchant account services. In this time, the landscape has changed and evolved but the importance of PCI compliance has never waned.
To be PCI compliant you must meet the PCI DSS (Payment Card Industry Data Security Standard) requirements for:
Other critical protective measures
PCI compliance is an ongoing process. Once you achieve compliance, you must continually strive to maintain it. Think of it in terms of three steps:
Assess identifying cardholder data, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data.
Remediate by correcting vulnerabilities and not storing cardholder data unless you need it.
Report by compiling and submitting required remediation validation records (if applicable) and compliance reports to the merchant services provider and card brands you do business with.
The purpose of being PCI compliant is to take responsibility to help ensure that payment card data remains secure throughout every transaction your business processes. Without the necessary measures taken to protect critical sensitive data you put your business and your customers at risk. If a data breach occurs it has the potential to damage and destroy your company’s reputation and financial fortitude that could ultimately put you out of business.
The impact it could have on your customers is equally devastating if their sensitive personal information and credit card data were stolen. Precautions must be taken to help protect your customers from fraud and identity theft resulting from personal data falling into criminal hands. A victim’s losses may include not only out-of-pocket financial losses, but substantial additional financial and emotional costs associated with trying to restore one’s personal finances and correcting erroneous information for which the criminal is responsible.
There are myths surrounding PCI compliance, emerging chip and PIN standards, the Cloud, and best practices for retailers to consider ensuring they are in compliance. Many companies struggle to understand PCI compliance requirements and often have many misconceptions about what it means to their business — especially since the recent announcements from Visa and MasterCard.
Chip and PIN technology will impact retailers by October 2015, when liability for a counterfeit card transaction that occurs at a merchant who has not switched over to a contact chip terminal will shift from the card issuer to the merchant services provider, who could then pass those costs along to the merchant through additional fees.
“The chip and PIN standard represents a liability shift. Ultimately what that means is that if there is a fraudulent transaction, and a credit card has not been processed using the chip and PIN requirement, then the retailer becomes liable for any of that fraud, where today the liability, based on the current standards, is with the bank,” says Randy Davidson, Senior Retail Industry Analyst at Tectura, worldwide provider of business consulting services.
Davidson addresses the mistaken notion that chip and PIN will replace PCI compliance: “That’s somewhat of a misconception that many people have, that chip and PIN is adding an additional level of security at the moment in time a card transaction is processed. But it doesn’t change the PCI requirement, and although they’re coupled together in some capacity, PCI compliance deals with the storage of credit card data or how it’s handled from an infrastructure security perspective. The chip and PIN technology adds just that additional level of security at the time of processing.”
A misconception about PCI compliance that many retailers still believe is that PCI compliance just relates to the POS software itself, although the requirements actually go beyond the software, and the database structure. There are also policies and processes that need to be put in place.
Misconceptions also exist amongst retailers about payment processing compliance in the Cloud. Retailers sometimes believe if their credit application was hosted someplace else and not stored on their servers, that it would help reduce the risk or the requirement for PCI. This is a myth because even if the application is hosted offsite someplace, it is still accessible from the merchant’s network.
Ultimately PCI compliance is required from the moment you accept or swipe the credit card at the point-of-sale terminal. If applications are hosted in the Cloud or stored off-site, those facilities or locations will become part of the PCI compliance requirement, because they are accessible from the merchant’s network.
I am extremely happy with TransFirst! The Transaction Express saves me hours a week with the ease of transactions and the up-to-date reporting. The service team is knowledgeable and eager to help. The best part, though, is the savings. Patrick made it so easy to switch merchant accounts. I wish I would have done it years ago!
- Specialty Autoplex | Arlington, TX
Two key things here. #1 – This program has saved me hundreds of dollars a year, and #2 – the service. The last time I called my question was answered in one simple phone call. We didn't take credit cards for a long time due to the expense ... I am so glad I took the time to listen when you came in because this is so much better.
- Restaurant Owner | Palm Bay, FL
TransFirst has done everything they said they would do, and they do it every month with service and savings. We are saving very big dollars each month, so we are very happy with the service.
- Police Benevolent Association | McDonough, GA
I'm writing to thank you for the superb customer support you've offered us in the setting up of our account. Your prompt replies to my questions, even through your illness, speaks very well of your organization and your own sense of responsibility. I would ask you to kindly forward this note to your supervisor, because I want him/her to appreciate your 'above and beyond' approach to your clients.