PCI StandardsWhat is the PCI standard and how does your business comply with it? Yes, if you are in business, there are certain PCI standards that you need to observe. Otherwise, you might end up paying for losses (that you don’t really deserve). You might end up being penalized with hefty fines (even if you didn’t commit any crime). Or, you might end up suffering from both business losses and fines. Seems unfair? Well, that’s why you need to be updated. If you are a business that accepts credit card payments, PCI standards are among the most important facets that you should look into. Now, you might be wondering: What the heck is PCI? And why do you need to set your business up to conform to their standards? PCI actually means Payment Card Industry, which is one of the primary groups that sets the standards for payments through credit cards, debit cards, E-purses, POS transactions, and even the ATM industry. Heading the PCI is the PCI Council, which is composed of the world’s leading credit card companies, namely: Mastercard, American Express, Visa, JCB, and Discover. So, why do you think all these big names of the finance industry decide to come together to set these PCI standards? Well, let me tell you now: It’s because of something serious. Really. Serious. It’s about fighting fraud. Lately, losses connected to payments fraud have become so gigantic and shocking that banking and financial institutions have started to worry. Fact: Over $26 billion in losses were recorded in the US—all because of fraud. And with all the new innovations coming out today, from e-commerce, online shopping, social media and many others, fraudsters now have even more means and methods to commit fraud. Yes, they can infect your email with viruses. They’d spike your downloads with malware. Even your lost smartphone, tablet or PC can be used to commit fraud against you and all businesses out there. How? By stealing credit card information, banking details and all other important information—hackers can actually steal money from you. Yes. They can either make counterfeit credit cards (using the credit card info they got from you) and make purchases from everywhere and anywhere they want. Or they can make purchases online, using the same credit card information they got from hacking your email or downloads. What does that mean? Businesses need to make sure that their payment transactions are safe and secured. If you accept payments from a stolen credit card (of your customer or client) you are actually telling the world that you don’t have secured payments. You are telling your customers that you can’t protect them from these unscrupulous hackers who simply want easy money. You are telling the public that it’s unsafe to transact with you. And what happens after that? You lose your customers. The public loses trust in your brand. You eventually close shop. Yes, these scenarios, as bleak and as dark as they may seem—can happen if you don’t exercise the required prudence. In fact, these same scenarios are what the PCI is trying to eliminate. So… Because of the increasing risks of credit card fraud and data breach, all businesses that accept credit card payments and transmit credit card information are now required to comply with PCI standards. Do you accept and transmit payments electronically? Do you accept payments via credit or debit cards? Good for you! That means you are able to cater to more customers (after all, doesn’t everyone use credit cards nowadays?). But please do note: You also need to be careful. With the new PCI compliance standards, businesses that accept payments from stolen or counterfeit credit cards can be made to pay for the losses incurred by the actual owner of the card, if they don’t have the required EMV readers. So, what are EMV readers? Well, EMV readers are actually gadgets that can read EMV (EuroPay, Mastercard, and Visa) cards, which are actually smart payment cards that can help reduce the risks associated with fraud. EMV cards actually have the ability to store data on their integrated chips (IC). Accordingly, this is what makes it an excellent tool for combating credit card fraud and other related crimes. Here’s what you should remember: EMV cards are now a requirement. Consequently, your business is also now required to have EMV readers to read these “smart cards.” If you don’t—then you may have a problem in your hands. Before October 1, 2015, losses that were incurred by a credit card owner because of fraud, were usually absorbed by the bank that issued the card. In short: Businesses were safe. However, on and after that date, businesses are the ones who’ll absorb the losses if and when they accept payments from a stolen or counterfeit credit card (because of the lack of an EMV reader). Now, here’s a scenario: Someone bought a flat screen TV worth $1,000 from your store using a counterfeit credit card. Since you didn’t have an EMV reader, you thought it was a legit sale and you accept payment. After some time, the real owner of the credit card complains, and it was proven indeed the card was stolen. So what happens? Because you didn’t have the required EMV reader and you accepted the payment, you’re the one liable for the loss of the owner (you pay $1,000). In addition, you will also have to shoulder the expense of “donating” the TV to someone who didn’t deserve it in the first place (let’s presume that the acquisition price was $800). In short: You lose $ 1,800 for a “fraudulent transaction” that was originally worth $1,000. Yes, not getting an EMV reader for your business can cost you money. A lot of money. Ironically, these EMV readers don’t really cost much, if you think about it. So, what does it take to meet these PCI standards? You’d be happy to know that you don’t have to lose an arm and a leg to comply with these standards. In fact, they can be quite simple, provided you get the right help. Here’s a PCI compliance checklist, to make things clearer for you:
- Know the specific compliance standard that applies to your business (there are actually 4 compliance standards, based on the size and scope of your business).
- Fill out an SAQ (Self-Assessment Questionnaire), and provide the necessary information based on the compliance level you belong to. If you’re confused, try to look for online forms (link to RedFynn’s if they exist) to help you determine which particular SAQ you should be filling out. But again: Be sure that you’re filling up information based on the actual compliance standards you belong to.
- If you’re using scanners for your payment transactions, then you might need to conduct a vulnerability scan. This process will be conducted by a PCI SSV Approved Scanning Vendor, who will test how accurate, safe and efficient your payment transactions really are. Take note though: Not all businesses are required to undergo this vulnerability scan. So, it might be a good idea to confirm if you need it or not.
- Execute an Attestation Compliance form. This form is usually included in the SAQ.
- Submit all the important documents and requirements, ranging from the SAQ, Attestation Compliance form, evidence of getting a passing rate for the vulnerability scan, and other related proofs.