Blog > Is PCI Compliance Legally Required?
Is PCI Compliance Legally Required?
Is PCI compliance legally required?
It’s a common question among business owners and employees. Maybe you’re just starting out and wondering how to accept credit cards, or maybe you’ve done a little research but are confused by all the information out there.
Here’s the short answer: yes, PCI compliance is mandatory but not legally required.
Let’s get into why.
The PCI Security Standards Council
If you don’t know what PCI compliance is, watch the video below.
In 2006, the five major card brands (American Express, Discover, MasterCard, Visa, and JCB International) formed the PCI Security Standards Council, an organization dedicated to promoting awareness of and adherence to payment security standards.
In pursuit of that goal, the PCI Security Standards Council formed the PCI Data Security Standard (PCI DSS), a set of rules and standards for businesses to follow to make sure they’re safely storing customer credit card information.
Any business that transmits, stores, handles, or accepts credit card data — regardless of size or processing volume — must comply with the PCI DSS Standards.
If you only process three credit card transactions a month, you must comply with PCI standards. If you use a third-party payment processor, you must comply with PCI standards. If you don’t store credit card data but it passes through your server, you must comply with PCI standards.
All that to say, if your business accepts credit cards as a form of payment, then you must be PCI compliant.
What if I’m not PCI compliant?
PCI compliance is legally required, but some business owners wonder if they can get around the requirements — this is an irresponsible and potentially devastating idea. Learn more about the consequences of PCI non-compliance here.
If you’re not PCI compliant, then you’re putting your customers and business at risk. Without the protection that PCI compliance brings, your business could be vulnerable to costly attacks and data breaches.
If a data breach occurs and you’re not PCI compliant, your business will have to pay penalties and fines ranging between $5,000 and $500,000.
But fines are just the beginning of the overall damage caused by noncompliance.
If you’re not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. Your business could also be placed in the Member Alert to Control High-Risk Merchants (MATCH) List, making you ineligible to obtain a new merchant account for several years.
On top of that, a data breach could cost you thousands of dollars in damages, lose the respect and trust of your customers, and decimate your reputation.
There are a variety of penalties for not being PCI compliant, so it’s always best to be as fully compliant as possible to avoid expensive fines and other losses.
How can I be PCI compliant?
PCI compliance is an ongoing process that requires regular evaluations and assessments of current systems and practices. It’s not a “set it and forget it” project — it’s a continual effort to keep cardholder data safe.
That being said, PCI compliance can be overwhelming. There are many requirements that can be confusing and difficult to implement. Fortunately, you don’t have to do it on your own. You can use third-party products and services as part of your larger PCI compliance strategy.
Many third-party payment gateways adhere to the PCI DSS so you don’t have to worry about it on your end. These payment gateways use data security methods like tokenization that allow you to store “tokens,” or non-sensitive credit card data elements, on your local servers instead of the actual information. This allows for quick and easy access to data (for repeat customers, for example), without actually storing any information.
Using these payment gateways can remove some of the PCI compliance burden from your business, but remember that third-party solutions are not a silver bullet. You’re still responsible for your security and must commit to testing, strengthening, and updating it over time.
The bottom line
If your business accepts credit cards, then you must be PCI compliant. It’s as simple as that.
So don’t let fear or confusion keep you from tackling PCI compliance. In the long run, PCI compliance will protect you and your customers from data breaches, and the costs and damages associated with them.
It’s important to always remember, PCI compliance is legally required and necessary for the safety of both businesses and customers.