September 12, 2018 by Siobhan Climer
We are now a few months into the enforcement of the new PCI Compliance V3.2.1 standards, yet many businesses are still non-compliant. We’ll explore who needs to be compliant, how businesses can ensure compliance, and what happens if you’re found to be non-compliant. Hint: it’s not good.
Who Needs To Meet PCI Compliance V3.2.1 Standards?
Everyone who interacts with the payment card industry (PCI) in any capacity. In the words of the PCI Security Standards Council, “anyone who stores, processes, and/or transmits” credit card information. So, retailers who takes in payments for material goods; hospital contact centers who transmit payment information and record phone calls; or service providers who store credit card transactions, every one of them is on the hook for compliance.
Compliance Confidence: SAQs And QSAs
Knowing you need to be PCI compliant is one thing. Validating compliance is another. To get you started, we created a free PCI Compliance Checklist for the contact center, which you can access here or by clicking on the image below.
Since there is no logistical way in which the PCI Security Standards Council can actually check every single individual and organization that must meet PCI compliance, they have created a handy Self-Assessment Questionnaire (SAQ) for merchants.
Depending on the type of business you are and the processing method you use, one of four different SAQs applies to your business. These are SAQs A, B, C, and D. Using the SAQ, most businesses can ensure they meet the compliance standards.
Not everyone feels comfortable using SAQs, and they don’t work for every business situation, so many companies work with a PCI auditor. The PCI Security Standards Council provides a list of Qualified Security Assessors (QSAs) that businesses can work with to audit the organization for compliance.
To find out more about SAQs and QSAs (we’re acronymed-out, too), use the PCI SSC document here.
The costs for auditing vary depending on your business. The PCI Security Standards Council created four compliance levels. Your business fits into one of the following:
Level 4 – Less than 20,000 transactions/year (even if it is just ONE transaction)
Level 3 – 20,000 to 1 million transactions/year
Level 2 – 1 to 6 million transactions/year
Level 1 – 6 million+ transactions/year
Any Level 1 business must secure a QSA to ensure PCI compliance.
Another factor that may affect how your business assesses compliance is the acquiring bank with whom you work. The PCI Security Standards Council sets the standards for compliance, but enforcement – and fines – are assessed by a business’ acquiring bank. Different acquiring banks may have different expectations, so be sure to check with yours.
Whether you perform a SAQ using the resources of your own staff or choose to engage a QSA and partner in assessing your PCI compliance V3.2.1, it’s a lot of work. What’s the risk if you don’t assess PCI compliance? No one’s checking, right?
PCI Compliance V3.2.1: Breaches Break Banks
What’s the risk? Risk is the bread and butter of business, so it’s a fair question. But be prepared for the answer: the risk is significant. And we mean the statistical definition of significant.
In 2016, over 1 billion data breaches were reported. In 2017? Almost 1.5 billion. So far, 2018 reports 668 million breaches (22.41 million records exposed) in the first half of the year, with the number likely to change drastically given large changes in security structures (like GDPR) around the world.
91.3% of all data breaches in 2017 affected the business sector, so the risk of a data breach affecting your business is, as we said, significant.
But what do data breaches have to do with PCI compliance?
When a business is the victim of a data breach, the acquiring banks with whom they work will verify PCI compliance. If the business was found to be non-compliant at the time of the breach, fines will be assessed.
The fines for non-compliance aren’t small change, either. They range between $5,000 to $100,000 PER MONTH until compliance is reached. For an emerging or midmarket business, that kind of fee is unsustainable. Many SMBs who are the victim of a data breach are bankrupt within 6 months of the attack.
So, the chances are your business will be the victim of a data breach. And if you’re not compliant, the chances are you won’t have a business within 6 months. That’s what we mean by significant.
PCI Compliance V3.2.1 Today, Assurance For Tomorrow
It simply isn’t possible for every business to have a trained PCI compliance officer on staff. Partnering with an organization that can assist your business in developing a compliance strategy – that utilizes compliant hardware, software, and systems – is essential for preparing your business for the risks of tomorrow.
Like what you read?
About Mindsight
Mindsight, a Chicago IT consultancy and services provider, offers thoughtfully-crafted and thoroughly-vetted perspectives to our clients’ toughest technology challenges. Our recommendations come from our experienced and talented team of highly certified engineers and are based on a solid understanding of our clients’ unique business and technology challenges.
About The Author
Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio.
