PCI Non-Compliance Issues and Penalties.
Though the Payment Card Industry Data Security Standards (or PCI DSS)
applies to every merchant who accepts payment cards, many merchants lack a
comprehensive understanding of what PCI is, or how it’s enforced.
Unfortunately, this puts these folks at a serious disadvantage when it comes
time to make decisions around PCI compliance – a particular problem for new
or aspiring business owners.
So how can you explain PCI compliance and penalties to a beginner?
Below are four key points to convey.
1) PCI is a set of industry rules – not a law.
One common misconception is that PCI originates with the government,
like other security requirements such as HIPAA. But it’s important to
note that PCI is a creation of the payment card brands.
2) Non-compliant merchants are penalized by their acquiring banks.
If a merchant experiences a security breach and is found to be non-compliant
with PCI rules, they may be subject to fines. Those fines may be steep, too.
Depending on the circumstances, merchants might have to pay anywhere from
$5,000 to $100,000 every month until they address all compliance issues.
If they don’t resolve the problem satisfactorily, they could even have their
ability to accept cards revoked.
3) Acquiring banks determine how a merchant must demonstrate compliance.
Since banks are responsible for enforcing PCI compliance, they can decide
how they wish to verify a merchant’s compliance
(and how they penalize non-compliance).
4) PCI compliance rules can be a useful resource.
It’s not unusual for business owners to feel frustrated by rules and
requirements like PCI. Few get excited by additional obligations that
call for spending more time and money. But the most productive way for
merchants to think about PCI is as a set of continuously evolving security
best practices.