If you are involved in financial services, then you are subject to PCI-DSS regulations. The Payment Card Industry Data Security Standard (PCI-DSS) is a set of guidelines designed to keep sensitive financial information safe and secure throughout every stage of the payment cycle. Credit card abuse is on the rise worldwide, especially online. Financial service providers that take and manage any kind of financial transaction are responsible for safeguarding all of the card data that enters their systems.
Becoming and remaining PCI compliant is not always easy. Data security standards become more stringent as thieves become more inventive in developing strategies for stealing credit card information. PCI-DSS 3.1 is the most current version and there will be more revisions in the future. So to help get an idea of how important compliance is, here are five important details about PCI compliance.
You are responsible for ensuring your compliance
If you make any kind of financial transaction, such as taking a credit card payment, you are required to be PCI compliant. Even if you make just one transaction, you are required to be compliant. Ignorance of the regulations is not an excuse. It is your responsibility to learn the regulations, remain abreast of all the rules and regulations and adhere to them at all times.
You are also responsible for the compliance of your vendors
PCI-DSS states that you are also responsible for the compliance of any vendor that provides you with software or services and any company or person that you hire to help you. If you hire a software company to install a financial-transaction software package on your system, then that software must meet the PCI standards. If the software is found to be non-compliant then you will be held responsible and penalized. Also, companies that hire you to collect debts know this. When they are considering hiring you, they will require that you prove that your financial processes are compliant to the latest standards.
Noncompliance brings heavy penalties
If your financial transactions are found to be non-compliant you will be fined heavily. Fines of tens of thousands or hundreds of thousands of dollars are not uncommon. In addition, banks or companies such as a car dealership that hire you to collect their debts are aware of this (see #2, above). If, during a PCI audit of their systems, they find you to be non-compliant, the bank will be fined and that bank will pass the fine on to you.
Even if you are prepared to absorb the extra fines, you will pay in other ways.
- This will trigger an audit of your company. Since the auditing agency already knows you are non-compliant, it will just be a matter of determining the size of the financial penalty that will be levied against you.
- Significantly diminished business, if any ever again. When you are found non-compliant you will have a very hard time ever selling your financial services again. It will take a long time to build confidence in your business again.
- Extra paperwork and lost time. PCI compliance is not just a set of rules. It is a regulated system for making the financial payment environment more secure. If you are not PCI compliant, and you remain in business, you should be ready for frequent PCI audits in which you must prove your compliance. This will take significant time away from your core business.
Regular self-audits are critical
To remain compliant, you must conduct periodic audits of your financial transaction systems and methods. These self-assessments should include:
- How you store and transfer customer financial data (such as credit card numbers).
- How your employees are educated and trained on security and data management.
- How vendors and suppliers within your network handle the financial data.
Although this seems like one more time-wasting burden for your business, these self-audits are essential. Auditing, uncovering and fixing potential problems can save you a lot of time and money in the long run.
Your payment processor can help with compliance
A compliant payment processor, such as BillingTree’s payment processing solutions, can help with compliance. Since the processing software is required to be PCI compliant, any transactions completed through the software are fully compliant to the current standards. This means that payment processing software can help you meet some of the standards of compliance, but not all (as discussed here). It is your responsibility to make sure the vendor is up-to-date with PCI standards.
In summary, remaining PCI compliant can seem like a burden, but it is an important part of reducing credit card fraud as a financial services business. If you would like to learn more about remaining PCI compliant, contact BillingTree or call us at 877-424-5587.