7 Common Client Questions About PCI DSS Compliance
1. “PCI DSS? Who needs it? We’re a small business and certainly off the radar of the major credit card corporations.”
Have you heard this, or something similar, from your retail clients? Do you get the feeling they think PCI compliance is just something you use to milk them for more money for your IT services? Sometimes it can be difficult to convince your small business clients they need to worry about compliance issues like PCI, but you know from experience that these things matter—even for the smallest businesses. Here is how you should reply to these common client pushbacks to help them understand what they’re up against.
2. We're small. Do we actually need to follow all those regulations?
Actually, yes. It applies to any organization that accepts payment cards (credit or debit cards). PCI splits merchants into four different levels, but those levels have to do with how the standards are enforced. No organization is exempt. The four levels are:
- Level 1: Processes more than six million transactions per year or have been found to have compromised cardholder information.
- Level 2: Processes between one and six million transactions per year.
- Level 3: Processes between 20,000 and 3 million transactions per year.
- Level 4: All other merchants.
3.Doesn't PCI usually penalize banks?
While it’s true that banks and other payment card service providers are usually the ones saddled with a penalty when noncompliance is discovered, who do you think ends up ultimately paying that fine or suffering that penalty? In most cases, banks pass the penalty down to the merchant that caused the instance of noncompliance in the first place. Banks don’t have much tolerance for customers that cause them to become noncompliant.
4. Well what are the penalties? They can't be that big of a deal.
The penalty for noncompliance with PCI DSS usually isn’t that big of a deal the first time. Usually it’s just a warning to get your act together. It’s the second or third penalty you have to worry about. Fines for PCI DSS noncompliance can range from $5,000 to $100,000 per month per violation, but fines are relatively rare and reserved for more severe cases. More frequently, your bank will stop processing payment cards for you, either temporarily or permanently, depending on how bad your violation was. Can your business afford to stop accepting credit cards?
5. How could I get caught? Don’t I just have to fill out a questionnaire?
Yes, there’s a questionnaire. Most small businesses process few enough payment card transactions to avoid an onsite security audit. But, you’re still responsible for having a quarterly network scan performed by an approved scan vendor (ASV).
6. I’m going to “fake” compliance long enough for the scans and then go back to my regular habits. What’s wrong with that?
Besides the fact that it’s never a good idea to try to pull one over on huge corporations like the payment card brands, think for a minute about the spirit behind the PCI regulations. They’re not just there to give you a compliance headache. The Payment Card Industry Data Security Standards exist to prevent sensitive consumer financial information from falling into the wrong hands. How would your customers like it if they knew you were playing fast and loose with their credit card numbers? Probably, they would be appalled. PCI DSS compliance is mandatory—and it’s a good idea.
7. I’m convinced! Can you help me comply?
Once you hear this from your clients, it’s time to do your thing. In my last article, I wrote about helping your retail clients comply with PCI DSS for the segments of the law that deal with password security and advanced authentication (aka multi factor authentication). I recommend that article as a starting point.