Payment card industry (PCI) compliance is a set of standards that businesses must adhere to if they wish to accept credit or debit cards.
There are 12 requirements a business must follow to be considered compliant.
PCI compliance adds important safeguards and can help a business avoid expensive penalties and a loss of business resulting from a breach.
What is PCI compliance?
PCI compliance – or, more officially, Payment Card Industry Data Security Standard (PCI DSS) compliance – is adherence to a set of standards established by the Payment Card Industry Data Security Standards Council, a coalition that the major credit card companies (Visa, Mastercard, American Express and Discover) and the Japan Credit Bureau formed in 2006. Merchants must comply with these standards no matter how many credit card transactions they conduct. Those found not in compliance may be subject to hefty fines.
What data falls under PCI compliance?
The data that falls under PCI compliance encompasses what’s called “cardholder data,” which may include the following information:
Account numbers, also known as primary account numbers (PANs), which need to be encrypted
Sensitive authentication data used to authenticate cardholders
Tracked data contained in the stripe or chip
Debit card PINs
CVVs for credit and debit cards
How does taking credit cards by phone work with PCI?
For taking credit cards by phone, the following protocol should be observed:
Make sure you are using a secure network to accept PANs and other sensitive information.
Ensure your phone system is PCI compliant.
Use landlines whenever possible, as smartphones can present more security risks.
If your business records phone calls, ensure that credit card information is redacted in the recording.
Never write down the card information being relayed over the phone.
Ensure all employees are trained on your PCI compliance procedures.
What are the penalties for noncompliance with PCI?
Credit card companies can levy fees of several thousand dollars per month or more, without regard for the size of your business. These fees can be devastating for small businesses, thus making compliance essential.
You may experience nonfinancial penalties as well. For example, card issuers may choose to stop working with your business, leaving you with fewer payment options to provide customers. Or you may face a public relations nightmare as more people learn about a security breach and are nervous to give your company their sensitive information. You may also be subject to federal auditing or legal action.
Is there a PCI certification?
Your business can obtain PCI certification after a comprehensive PCI DSS audit. A qualified security assessor performs this audit, and the process can take months. While PCI certification is not required for your business to be PCI compliant, you may choose to undergo PCI certification to build trust with your customers.
The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments.
Additional reporting by Stella Morrison. Some source interviews were conducted for a previous version of this article.