Guest post by Ray Moorman, Director of Product Management, Vantiv Integrated Payments (formerly Mercury Payment Systems)
PCI remains a blind spot for many merchants
When the first version of the PCI DSS was released in 2004, the intent was to improve cardholder information security and prevent fraud. The standards continue to evolve to address new threats, and last year’s introduction of PCI v3.0—which was quickly followed by v3.1—highlighted education and awareness, increased flexibility, and security as a shared responsibility.
Despite industry efforts, PCI remains a blind spot for many merchants. A recent survey from the Merchant Acquirers’ Committee (MAC) revealed that small to medium sized businesses (Level 4 merchants) have the lowest overall PCI compliance rates—39 percent. And it’s to their detriment, because SMBs are just as likely to be hacked as their larger counterparts.
In this post, I’ll explore why you need to get involved in PCI compliance for your business, and how your acquirer, i.e. the organization with which you have your merchant account, can help.
Why you need to get involved
At the most basic level, PCI compliance is good for business. It offers security benefits that help build customer trust and support a merchant’s long-term success. Surveys indicate consumers are increasingly concerned about the safety of their personal data. Nearly half of Americans believe their personal information is likely to be accessed by an unauthorized person within the next 12 months. Furthermore, as many as 45 percent of cardholders are likely to avoid stores hit by data breaches.
PCI compliance is not a one-time event, and instead requires ongoing effort. As a business owner, much of this effort rests on you. Focusing only on an annual compliance assessment can create a false sense of security. According to the PCI Security Standards Council (PCI SSC), security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date.
PCI compliance offers a tangible framework for merchants to identify and address payment card data threats and vulnerabilities that could lead to a breach. It provides the opportunity to take an ongoing, active role in protecting your business.
The complexities of PCI compliance can seem daunting, but merchants aren’t alone in their efforts. PCI applies to every entity associated with payment cards including banks, payment processors and service providers. Let’s take a look at some of the ways your merchant acquirer help you achieve and maintain PCI compliance.
Education and information: Keeping up with payment industry requirements takes time that many small and medium sized merchants don’t have to spare. Acquirers can be a good source on current requirements since they must also adhere to PCI standards. Educational offerings vary and can include webinars, eBooks, online and in-person trainings, compliance guides, checklists, and other useful resources.
Customizable programs: PCI requirements are specific to business size and other factors. Your acquirer can help ensure you get the compliance assistance you need based on your unique business type and the resources you already have. For example, a merchant with no internal IT staff may need more assistance than one with a full-time dedicated technology specialist.
Tools and support: Many acquirers offer PCI assistance “tool kits” to help guide merchants through the compliance process, as well as support from dedicated compliance professionals. These kits may include virus scanning capabilities, assistance with completing the SAQ, “To Do” lists to track compliance progress, and more.
Breach protection: Some acquirers provide breach assistance services to their merchants. These services are designed to help safeguard your business by providing financial assistance for certain costs in the event of a suspected or actual data breach at your location. Coverage varies by provider, and can include protection to cover the costs associated with a forensic audit, card replacement and account monitoring, card association fees, and hardware and software upgrades.
If PCI compliance isn’t a top priority for your business, it should be.
And if your acquirer isn’t assisting in your efforts, it’s worth searching for one who can. Security is a shared responsibility, and when every entity in the payments chain does their part, it’s a whole lot easier to manage.
Be sure to subscribe to this blog for additional tips and webinar announcements.