PCI Compliance is an often-misunderstood aspect of payment processing, especially for business owners who are new to accepting credit cards.
Many payment processors don’t want to talk about PCI because it is not mandated by law, but the consequences of being non-compliant can be serious and potentially very damaging to your business. Understanding how PCI Compliance works and recognizing if someone is sharing false information with you can help you protect your business from costly data breaches and fines. Here are some of the common myths PCI compliance myths that you should be aware of.
Myth: My business is still quite small, so I don’t need PCI.
Fact: If you accept credit cards, then you need to be PCI compliant.
Myth: I don’t have an online store, so PCI doesn’t apply to me.
Fact: A common PCI myth is that it only applies to online transactions. However, if you are accepting credit cards in any manner or storing or transmitting cardholder information, then you need to be PCI compliant.
Myth: I’m mostly compliant, so that’s good enough.
Fact: PCI compliance is all or nothing, it's a myth that mostly compliant will be good enough. If you do not meet the criteria 100% then you are not PCI compliant and would not be considered so.
Myth: I can just answer “Yes” on the questionnaire, so I pass.
Fact: Answering “Yes” to a question when you should have said “No” exposes your business to even greater risk if a breach were to occur because you have misrepresented your business’s security.
Myth: PCI is too hard.
Fact: PCI can seem daunting at first, especially as a new business owner. However, because PCI is based on the best practices for security, these are steps that you should be taking anyways to protect sensitive data and your business. If you have questions about the PCI questions, you can contact your payment processor for assistance.
Myth: I outsource my credit card processing, so I don’t have to worry about PCI.
Fact: Even if you’re using a third-party for your credit card processing, you still need to be PCI compliant to protect your business. Credit card processors need to adhere to a multitude of PCI compliance measures as well.
Myth: PCI doesn’t stand for anything specific.
Fact: PCI stands for payment card industry. PCI-DSS stands for Payment Card Industry Data Security Standard.
Myth: PCI’s is just a cash grab.
Fact: The purpose of PCI is to reduce a merchant’s exposure to potentially fraudulent activity and to protect them in the event of a data breach. A 2017 Verizon Data Breach Incident Report found that there were nearly 42,068 data breaches in 2017. Breaches are not often publicized but they can have devastating financial consequences for your business, especially small businesses. Most businesses aren’t aware of these consequences, so PCI was implemented to protect all businesses who accept credit cards.
Myth: I did my PCI compliance when I first started my business, so I’m good.
Fact: A PCI certificate expires 12 months from the date you do the questionnaire and needs to be renewed each year.
Myth: If I’m not compliant then my transaction fees are going to increase.
Fact: While you may be subject to a PCI Non-Compliance Fee from some processors, your transaction fees should not change if you are non-compliant unless your processor chooses to bury their PCI fees in your rates without informing you. Unfortunately, some processors employ this method instead of simply educating their merchants on PCI.
Myth: PCI Non-Compliance Fees are just a small flat rate.
Fact: PCI Non-Compliance Fees may vary depending on who your payment processor is, and they may issue the fee as a flat rate fee or as a percent of your processing volume. How a processor applies the fee can result in a large variance in what they are charging, and if your processor isn’t transparent about how and what they’re charging you, it may be difficult to recognize.
While understanding PCI won’t make it any more enjoyable to adhere to, it can help you protect your business from expensive data breaches and related fines by ensuring you’re meeting the required security standards and helping you avoid unnecessary monthly fees for PCI Non-Compliance.