Is PCI compliance legally required?
It’s a common question among business owners and employees. Maybe you’re just starting out and wondering how to accept credit cards, or maybe you’ve done a little research but are confused by all the information out there.
Here’s the short answer: yes, PCI compliance is mandatory but not legally required.
Let’s get into why.
The PCI Security Standards Council
If you don’t know what PCI compliance is, watch the video below.
In 2006, the five major card brands (American Express, Discover, MasterCard, Visa, and JCB International) formed the PCI Security Standards Council, an organization dedicated to promoting awareness of and adherence to payment security standards.
In pursuit of that goal, the PCI Security Standards Council formed the PCI Data Security Standard (PCI DSS), a set of rules and standards for businesses to follow to make sure they’re safely storing customer credit card information.
Any business that transmits, stores, handles, or accepts credit card data — regardless of size or processing volume — must comply with the PCI DSS Standards.
If you only process three credit card transactions a month, you must comply with PCI standards. If you use a third-party payment processor, you must comply with PCI standards. If you don’t store credit card data but it passes through your server, you must comply with PCI standards.
All that to say, if your business accepts credit cards as a form of payment, then you must be PCI compliant.
What if I’m not PCI compliant?
PCI compliance is legally required, but some business owners wonder if they can get around the requirements — this is an irresponsible and potentially devastating idea. Learn more about the consequences of PCI non-compliance here.
If you’re not PCI compliant, then you’re putting your customers and business at risk. Without the protection that PCI compliance brings, your business could be vulnerable to costly attacks and data breaches.
If a data breach occurs and you’re not PCI compliant, your business will have to pay penalties and fines ranging between $5,000 and $500,000.
But fines are just the beginning of the overall damage caused by noncompliance.
If you’re not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. Your business could also be placed in the Member Alert to Control High-Risk Merchants (MATCH) List, making you ineligible to obtain a new merchant account for several years.
On top of that, a data breach could cost you thousands of dollars in damages, lose the respect and trust of your customers, and decimate your reputation.
There are a variety of penalties for not being PCI compliant, so it’s always best to be as fully compliant as possible to avoid expensive fines and other losses.