Nobody Likes PCI Compliance
For many merchants, PCI compliance is their biggest payment processing headache. PCI DSS requirements are usually presented as a tangled web of technical requirements chock full of industry jargon and unrealistic demands. And, in some cases, that’s accurate. As a result, most merchants don’t invest the time or effort to really learn the PCI DSS’s complexities. They rely on their sales agents, their fellow merchants, and their own common sense to meet the bare minimum of PCI requirements.
The general mystery surrounding PCI has allowed several myths about PCI compliance to spread throughout the industry. In their rush to simplify the process, poorly trained sales agents and uninformed merchants alike have unknowingly passed along misinformation about PCI compliance, and in doing so have made a complicated regulatory framework even harder to understand. To help you sort through what is fact and what is fiction, we’ve gathered the following list of common myths about PCI compliance.
MYTH: PCI compliance is a government regulation.
The Payment Card Industry Data Security Standard (PCI DSS) is neither a law nor a legal recommendation. It was created in 2004 by Visa, MasterCard, Discover, American Express, and JCB, and it is entirely enforced by card networks, banks, and merchant services providers rather than law enforcement. No merchant can be subject to legal penalties for failing to maintain PCI compliance.
The credit card processing industry does not heavily publicize the origin of PCI compliance for a few reasons. For one thing, if merchants suspect that PCI compliance is mandated by law, then they are more likely to comply. For another, if merchants think that these regulations are imposed on their credit card processors, then they are more likely to accept the fees that are charged in relation to them. But make no mistake: PCI compliance fees and PCI non-compliance fees exist solely because the credit card processing industry has created its own set of costly data security regulations for acquirers, payment processors, and merchants.
You are still advised to maintain PCI compliance due to the extremely high cost of data breaches. However, there are many ways to become PCI compliant. Different merchant account providers require different PCI fees and paperwork from merchants, and your costs for PCI compliance can be as flexible as your per-transaction processing fees.
MYTH: If you are PCI compliant, you can’t be fined or sued over a data breach.
Even if you are PCI-compliant at the time your payment processing system is breached, you can be fined hundreds of thousands of dollars or sued by your credit card processor, your acquiring bank, or your customers for damages stemming from a hack. PCI compliance cannot protect you from these costs. The only way you can protect yourself from fines or legal action following a breach is to insist on a clause in your merchant account contract that indemnifies you under certain circumstances. Most payment processors are comfortable with freeing you from liability if their systems are determined to be the source of the breach. They will also likely be comfortable with allowing a third-party forensics expert to investigate the source of the breach. However, it is unlikely that your provider will contractually indemnify you from legal fees or bank-imposed fines following a breach to your own systems, regardless of whether you are PCI compliant.
This doesn’t mean that PCI compliance is worthless. To the contrary, you will have a stronger legal defense and more leverage in an investigation if you can prove that you fully adhered to PCI DSS guidelines at the time of the breach. You just shouldn’t assume that compliance offers you any significant legal protection unless that protection is specifically outlined in your contract.
MYTH: PCI compliance fees can’t be changed because they are passed down from the banks.
Some merchant account providers like to insist that PCI compliance is a cost passed down to them by the banks, and that there’s nothing they can do to lower your PCI compliance or non-compliance fees. This is untrue.
There is no fixed cost of PCI compliance charged to your payment processor by the banks. Your payment processor does incur costs associated with maintaining its own PCI-compliant systems and ensuring that your business remains PCI compliant, but these costs are variable and internally managed. Your processor charges you PCI compliance fees in order to recover its costs of maintaining PCI compliance, but there’s no way for you to know whether those fees bear any relation to the processor’s actual costs. PCI non-compliance fees in particular are simply punitive fees intended to motivate merchants to complete the PCI compliance process. Your processor may also require that you pay a third-party PCI scanning service to audit your location on a quarterly or annual basis, but that is simply another way to shift the cost of reporting PCI compliance to you.
Some PCI compliance fees are justified, as the entire PCI DSS framework is a rigorous and ever-changing standard imposed on all credit card processing companies. But most PCI compliance fees are negotiable, and a good provider will be willing to work with you to find a way for you to remain PCI compliant without paying exorbitant quarterly or annual fees.
MYTH: Outsourcing your credit card processing makes you PCI compliant.
If you accept online payments through a third-party payment processor like Amazon or you use a non-traditional credit card processing app like Square, you may think that you are automatically PCI compliant. And it is true that some services do not require their merchants to pay PCI compliance fees or complete Self-Assessment Questionnaires. A merchant account aggregator like Square, for instance, is technically the merchant of record for each transaction and therefore must assume the burden of maintaining PCI compliance for all of its sub-accounts (a.k.a. its merchants).
However, while your payment processor may offer PCI-compliant software or hardware, your specific business environment can very easily fall out of PCI compliance. If you improperly store credit card data at your location, use shared computer accounts for all employees, operate without a firewall or antivirus software, or incorrectly configure your business’s website, you may be in violation of PCI best practices. In other words, third-party processors like Square only free you from the burden of paying for and reporting your PCI compliance; they do not ensure that you are automatically PCI compliant.
MYTH: You don’t need to be PCI compliant if you only accept a low number of credit cards.
There is no minimum threshold of credit card transactions that triggers the requirement to be PCI compliant. Even if you are a seasonal or very small business, you are expected to maintain PCI compliance at your business.
You may hear about “levels” of PCI compliance. There are indeed four levels of PCI compliance that depend on the number of Visa transactions a merchant processes:
PCI Compliance Levels 1-4
- Level 1: Merchants processing over 6 million Visa transactions annually across all channels or Global merchants identified as Level 1 by any Visa region
- Level 2: Merchants processing 1 to 6 million Visa transactions annually across all channels.
- Level 3: Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
- Level 4: Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
For levels 2 through 4, the annual PCI validation requirements are identical. These merchants must complete a Self-Assessment Questionnaire once per year, submit an Attestation of Compliance (AOC) once per year, and conduct a quarterly network scan by an Approved Scan Vendor (ASV) if applicable. Level 1 merchants must file a Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or an internal auditor appointed by the company once per year, submit an AOC once per year, and conduct a quarterly network scan by an ASV if applicable.
MYTH: Completing a PCI Self-Assessment Questionnaire (SAQ) ensures that you are PCI compliant for a full year.
Completing an SAQ may meet your PCI paperwork obligations for a full year, but it doesn’t ensure that your location remains PCI compliant for a full year. If your business begins to operate out of the scope of PCI compliance after you submit your SAQ, you’ll be just as at-risk for breaches and fines as a business that didn’t even bother to submit an SAQ. If it helps, you can think of PCI compliance as a year-round effort to continue processing payments securely, while the SAQ is merely an annual checkup to ensure that your efforts are sufficient.
MYTH: PCI compliance involves hundreds of complicated requirements.
In its current form, PCI compliance only has 12 basic requirements. Assessing these requirements and proving that your business adheres to them can be extremely complicated at times, but the actual demands placed on merchants are 12 common sense measures:
12 Requirements for PCI Compliance
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software on all systems commonly affected by malware.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
There are a large number of subsections and addendums to these directives, and it can be irritating to work your way through the full scope of their demands. But if you can keep in mind that every PCI compliance audit or SAQ is designed to bring you into compliance with these 12 core principles, it may keep you from feeling overwhelmed by the process of maintaining compliance.
PCI Compliance Seems Confusing For A Reason
To a certain extent, credit card processors don’t want you to know how PCI compliance works. After all, if they are the only ones who understand the complexities of data security, then you are more likely to pay them or their partners to handle it for you. Even more insidiously, if you don’t know what your responsibilities are, then they can pin the blame on you in the event of a data breach. That’s why it’s important to know the facts about PCI compliance. If you can stay informed and conduct your own research about PCI compliance, then you can regain the upper hand when negotiating with your processor.