Small businesses are the heart and soul of the U.S. economy. From local mom and pop shops to innovative web start ups, we rely on these merchants daily for goods and services. In the payments world, small businesses are referred to as Level 4 merchants, those processing less than 20,000 e-commerce transactions annually and up to 1 million transactions annually. There are more than 6 million Level 4 merchants in the U.S.
PCI compliance is a vital component of merchants overall, ongoing security program. However, Level 4 merchants have not always been well educated or encouraged by their acquiring bank to become compliant.
If your business transmits cardholder data, you must also be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This definition may sound intimidating, but the overall goal is to help organizations proactively protect customer account data.
All merchants must be PCI DSS compliant
Regardless of how small your business is, you must be compliant. PCI DSS compliance is required of all entities that store, process, or transmit cardholder data, including financial institutions, merchants and service providers. Cardholder data is any personally identifiable information associated with a cardholder, such as an account number, expiration date, name, address, social security number, etc.
Although PCI DSS is not a law, failure to meet compliance standards can result in fines from credit card companies and banks, brand and reputation damage, and even the loss of the ability to process credit cards.
What are risks of accepting card holder data?
Small businesses and home-based businesses are vulnerable to hackers simply because they are usually not well protected. Home-based businesses account for 53 percent of all small businesses. Intruders see these businesses as easy targets and exploit their broadband connections, which are always on, and programs such as online games and file-sharing applications. Other typical ways merchant environments are breached include: SQL injection attacks, malicious code attacks, insecure remote access, or insecure wireless.
Sensitive cardholder data can be stolen from many places:
- Compromised card reader
- Paper documents stored onsite
- Data in a payment system database
- Hidden camera recording entry of PIN or other authenticating data
What are the costs?
Oftentimes it takes numbers, and fear of loss, to push merchants to take the compliance leap. Merchants can expect to pay approximately $50,000 for PCI compliance violations. In addition, the bank will also most likely terminate your relationship or charge higher transaction fees. These penalties can be hard to overcome.
In addition, if cardholder data becomes exposed, be aware that more than 38 states have laws requiring data breach notifications to the affected parties resulting in incalculable losses to brand, reputation and customer base. Refer to www.privacyrights.org for detail on state laws.
Summary
PCI compliance is a must. Take advantage of the resources and reputable partners that can make the process more efficient. By creating a safe environment for processing your customer’s transactions, you will keep them coming back and ensure your business thrives.
To learn more, read TrustCommerce’s whitepaper on PCI Compliance for Small Merchants.