Amazon’s cashless store a hit?
January 1, 2019How many companies were (are) outside of PCI compliance
January 15, 2019As a merchant your business is your life and livelihood. You would protect it just as you would your child and in some cases maybe even more so. With all of the data breaches that have been in the news protecting your business is becoming even more important. Nothing is unhackable but the best way to lessen the chance of being hacked is to achieve and maintain PCI compliance. There are some myths that persist around PCI compliance that prevent some merchants from achieving it and today we are here to bust some of them.
If you missed the first part or just want to read it again click here.
Some merchants believe that they should be able to store every bit of their customer’s information. If this is you, stop. Certain pieces of information about a credit card transaction should not be stored. If you store a credit card number that is unencrypted, the CVV number, PIN blocks, a card’s PIN or information from the magnetic strip you are not only outside of PCI compliance but you could be violating state or federal law. PCI regulations forbid storing any of that information and if this information is found in your log files during an audit there could be serious consequences. In general storing cardholder information is discouraged outside of information on the front side.
Some merchants outsource their payment processing and that leads to the myth that by doing so that merchant is compliant. While outsourcing the processing does make the process much simpler there is still customer information that is received that must be protected. If any POS terminals are present they must meet PCI compliance. If you do choose to use an outsourced processor make sure that you request a certificate of compliance from them. They need to be PCI compliant as well.
A major myth about PCI compliance is that you have to be a computer expert and achieving compliance is a massive IT project. That strikes fear into the heart of many merchants. There are some aspects of PCI compliance that can involve an IT staff but achieving and maintaining compliance is a continuous effort rather than just a project with a set end date. Meeting compliance involves much more than just the IT staff, it can involve everyone in the company.
Once a business has reached PCI compliance that business is secure right? Wrong. Achieving PCI compliance just states that at that one moment in time your business was compliant. Maintaining compliance is an ongoing process that requires constant attention. Achieving PCI compliance is not the end of the process but instead is just the beginning.
For a merchant just starting out many do not want to pursue PCI compliance because it costs too much. In reality it doesn’t. Much of what is involved is really just properly updating and maintaining your computer and network security and if that is properly maintained PCI compliance is much easier to achieve.
But I have to hire a full-time pro to ensure PCI compliance don’t I? No, you don’t. Many large companies do hire such a person but you and thousands of other business owners or merchants do not have that luxury. To meet PCI compliance small and mid-sized businesses can complete a Self-Assessment Questionnaire (SAQ) to assess themselves.
Perhaps the biggest myth is that PCI compliance is simply too hard. It can seem intimidating for a merchant that is just starting out or a small business owner who also functions as CIO/CTO/CEO and how ever many other 3 letter acronyms there are. PCI compliance is for the most part just implementing best practices and are hopefully steps that any business owner would take regarding security. PCI compliance does not necessarily need to be hard and working with someone like JLE Business Consultants can make it easier. If you are in business and take credit card as a form of payment you really can’t afford to not be PCI compliant.