PCI stands for Payment Card Industry–the term is normally used in the context of PCI compliance, which means that a merchant or payment processor conforms to the security standards set by the Payment Card Industry Security Standards Council (PCI SSC).
These security standards were created to help prevent credit card fraud and hacking and to help protect against other security threats that a merchant or payment processor might face.
Does PCI apply to my business?
If your business accepts credit cards, then yes, you must comply with the PCI standards. Anytime anyone stores, processes or transmits credit card data, the standards apply.
What if I don’t comply with PCI standards?
According to the PCI Compliance Guide:
“The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. ”
What’s involved in PCI compliance?
There are four different levels of PCI compliance:
- Level 1 PCI compliance is the most intense and expensive level to maintain. Level 1 PCI compliant companies are very large companies who process more than 6 million major credit card transactions per year. Payment gateways (e.g., Intellivative, PayPal, Verisign, Cybersource, etc.) and other payment solution providers typically are subject to this level of scrutiny.
- Level 1 PCI certification requires an annual on-site security audit and quarterly system perimeter scans.
- If you are a large merchant who outsources their payment processing to a Level 1 PCI compliant company (like Intellivative), the effort required to validate compliance may be significantly reduced.
- ApprovedPayments is a sales outlet for Intellivative Payment Solutions. Intellivative consistently maintains Level 1 Compliance and offers cardholder data management features to minimize clients’ exposure to risk and greatly reduce the expense associated with validating compliance.
- Level 2 PCI compliance applies to merchants who process 150,000 to 6,000,000 major credit card company transactions per year. Level 2 compliance typically requires quarterly system perimeter scans and an annual compliance questionnaire (unless you employ a payment processor who is Level 1 Compliant).
- Level 3 PCI compliance is for merchants who process 20,000 to 1 million eCommerce transactions per year.
- Level 4 is for merchants who process less than 20,000 eCommerce transactions each year or who process up to 1 million transactions per year.
Regardless of size, any company that has had a security incidence may be subject to a higher level of compliance.
If I outsource my payment processing, I’m covered, right?
Not entirely. Outsourcing simplifies the process, but it doesn’t mean you’re automatically PCI compliant. You will still need to have sound policies and procedures for cardholder transactions and data processing and storage. Your business policies should cover how to protect cardholder data, and how to process charge backs and refunds. Also, make sure ALL the vendors that have access to sensitive cardholder data are PCI compliant, including your gateway, your shopping cart, your credit card terminal, etc.
Where can I learn more about PCI?
- Visit the PCI Security Standards Council
- See the PCI FAQs and Myths on PCI Compliance Guide
- Register for the PCI Knowledge Base
- Review the Visa® or Mastercard® payment data security information
Is ApprovedPayments PCI Compliant?
ApprovedPayments is a sales outlet for Intellivative Payment Solutions, which are fully PCI Level 1 compliant.
Apply today for a no-obligation quote for our PCI Level 1 compliant solutions.
