Ensuring Compliance with PCI Standards

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards put in place to maintain a secure environment for credit card information. These standards apply to the acceptance, processing, storage, and transmission of credit card information. No matter what size, any organization that accepts, transmits, or stores credit or debit cards is subject to PCI standards. 

How PCI DSS Affects Your Organization

PCI standards are managed by the Payment Card Industry Security Standards Council and are enforced by all of the major credit card companies including Visa, MasterCard, American Express, Discover, and JCB. 

Each major credit card company enforces the standards in a slightly different way.  They each have programs that focus on the number of transactions for the credit cards alone. However, each has its own definitions depending on the number of transactions, and different compliance submission requirements.  Because of these differences, it is possible to be compliant with one major credit card brand but not with another. 

With the rise of hackers, phishing, and other external threats to data, it’s extremely risky to store sensitive data including credit card information.  Building trust around payment system security is vital if you wish to ensure timely payments from customers.  Additionally, banks can be fined up to $100,000 per month for PCI compliance violations by each of the payment brands.  These fines are generally passed along to non-compliant merchants through increased transaction fees.  Although penalties are not widely publicized, they can be found in merchant account agreements.

Maintaining Compliance

The PCI DSS is designed to minimize the risk of credit card fraud and ensure trust between consumers and companies. This is important to the success of any business.

It is ultimately the responsibility of each company to responsibly handle sensitive information. Merchants must maintain compliance with PCI standards if they wish to avoid paying fines. Proactively setting up strong internal policies and controls around credit card information is an important first step. 

Not storing credit card data makes it much easier to ensure compliance with PCI standards.  However, this isn’t always possible. Some merchants store credit card data for recurring billing.  When this is the case, it is best practice to use a third-party credit card vault and tokenization provider.  By using one of these providers, the merchant is still able to process recurring billing, but no longer has direct possession of sensitive information.  Therefore, the risk is removed to a third party who specializes in the storage and protection of sensitive credit card data. 

Vault Consulting offers outsourced accounting and market research services to nonprofits, associations, and their affiliates. Our services are designed to reduce the risk of internal fraud. This improves both trust and compliance. Please contact us for more information about our services.