PCI Compliance Explained.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
Who needs to be compliant?
PCI Compliance is required for any company which sees, processes, holds or handles debit or credit card details in an electronic form, which could apply to your website, your retail shop and/or your office. In practice, this means any company which has a merchant bank account.
This applies if you take payment by card in your shop, or over the phone, or using a virtual terminal, or on your website using the Uber Payment Gateway. If you take payment on your website using PayPal or Google Checkout, then the answer is no, as you don’t have a real merchant bank account.
Where Can I find the PCI Data Security Standards?
The standards can be found on the PCI DSS website: https://www.pcisecuritystandards.org/security_standards/index.php
Do organizations using third-party processors have to be PCI compliant?
Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
How do I become compliant?
PCI Compliance has two parts: a questionnaire about how you protect the card data you handle, and sometimes a software scan on your website, office and/or shop to make sure it is secure. The questionnaire and scan basically ensure you meet the list of PCI requirements, which include things like having a secure network, regular testing and a security policy.
What will happen if I don’t bother?
If you have an Internet Merchant Facility, your bank may eventually start fining you until you are compliant, or put a freeze on your account until you become compliant.
Should your website or application be hacked, and card details are stolen, you may be liable for crippling fines and asked to conduct a full PCI Audit by a QSA before your bank allows you to start taking payments again.