What is PCI? Why PCI DSS Compliance Matters for Your Business
Have you ever had a harrowing phone call from your bank, telling you your credit card information has been stolen? Or, maybe you’ve logged into your bank account, only to find a handful of charges that aren’t yours? Regardless, it’s never a fun process. Sadly, this situation is only getting worse. The volume of online transactions only continues to grow. The question is, what’s being done to ensure your sensitive credit card information remains secure?
Well, that’s why the Payment Card Industry Data Security Standard (PCI DSS) exists. This mandate requires any business processing transactions online to comply with their security regulations. Failure to comply with PCI DSS regulation can lead to steep fines, loss of customer trust and a lot more.
So, if your business deals with sensitive customer financial information, you cannot afford to neglect PCI DSS compliance. Below we’ll break down the PCI definition, the risks of non-compliance, how your business phone system provider can enhance or detract from your overall compliance and the steps you can take to achieve full compliance.
What Is PCI DSS?
Payment Card Industry Data Security Standard was originally created by MasterCard, Discover, Visa and American Express back in 2004. Since then, it’s evolved to become the standard that all businesses who use credit card transactions must abide by. The goal of this standard is to help reduce security breaches and credit card fraud related to payment processing. You might hear the term PCI compliance used interchangeably with PCI DSS; in regards to compliance, they essentially mean the same thing.
The standards are created by the SSC (Security Standards Council), and compliance is enforced by the credit card companies.
There are 12 different requirements that your business must achieve to be fully compliant. Beyond the 12 initial requirements, there are various components of each requirement, too. Basically, it takes a lot of work to become fully compliant.
Why Compliance Is Important for Your Business
PCI isn’t a law, but this doesn’t mean there aren’t penalties involved for non-compliance.
Penalties and fines will generally be administered by your merchant's bank or the credit card processor you’re using. The fines can be steep, too. Depending on your violation, you could be looking at fines that range from $5,000 to $100,000 per month. These fines can increase as well, leading to higher transaction fees, paying for credit card replacements and more.Your relationship with a certain merchant or bank could be terminated as well.
Not only that, but you're looking at a serious loss in customer trust. How many of your customers would come back after their sensitive credit card information has been compromised?
How Can My Business Become PCI Compliant?
Getting your business fully compliant isn’t something you do once. It’s an ongoing process to ensure your business is always in alignment with the latest standards.
Here’s a basic rundown of the steps required to become PCI compliant:
1. Determine Your Business’ Level of Compliance
There are different levels of compliance depending on your yearly revenue numbers, number of transactions and the different cards you’re using. The compliance levels are ranked from one to four — the lower your compliance level, the more steps you’ll have to take to remain compliant.
2. Take the Self-Guided Questionnaire
Next, take a look at the Self-Assessment Questionnaire. This document spells out the requirements your business must fulfill for compliance. For a detailed breakdown of how to fulfill each requirement, review the procedural document.
3. Determine What You Need to Submit
In order to validate your compliance, you'll need to satisfy different requirements. In some cases this means you'll need to use an Approved Scanning Vendor (ASV) for a risk assessment. An ASV is a third-party organization that conducts a security scan to ensure you’re adhering to all the necessary standards.
4. Validate Your Compliance
Once you’ve completed the questionnaire, and/or conducted an ASV, you’ll need to validate that you’ve completed the necessary steps. Find the document that corresponds to your business compliance level here. You'll need to submit this, along with other documentation to your merchant bank or credit card processors.
5. Submit Documentation to Your Bank and/or Credit Card Processors
Now it's time to submit your documentation to the appropriate parties for compliance validation. For most, this will include your merchant bank, along with any credit card processors you're using. The frequency of your compliance validation will depend upon your credit card processors and transaction volume.
Do Business Phone System Providers Need to Be Compliant?
Keep in mind that PCI DSS compliance extends to your business phone systems as well. Chances are, you’ll be taking payments via VoIP, over the phone or through other methods. These need to adhere to the same security standards, otherwise you'll run into a variety of potential problems.
If you’re using a UCaas or CCaaS provider, you need to ensure their software is up to the latest PCI DSS standards. Without this, you run the risk of non-compliance. Simply using a third-party provider doesn't shield you from non-compliance penalties.
When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.