Welcome to Swipen’s second instalment of the ‘Payments Parlance’ blog series. Acronyms, techspeak, compliance, and seemingly random fees can leave us all confused and wondering, ‘what does it all mean?’. These blogs are designed to help explain the terminology, issues and charges that often surface within the payments industry.
Today we talk about PCI and its associated charges.
What is PCI?
PCI stands for Payment Card Industry. You’ll often see the acronym PCI DSS, which is Payment Card Industry Data Security Standard. PCI DSS is a set of security standards designed to improve security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (PCI Security Standards Council – www.pcisecuritystandards.org) an independent body that was created by the major payment card brands: Visa, MasterCard, American Express, Discover and JCB.
Note: It is the payment brands and acquirers that are responsible for enforcing compliance, not the PCI council.
Who is affected by PCI DSS?
The standards apply to ANY company, regardless of size or number of transactions. If you accept, process, store or transmit cardholder data or credit/debit card information, your business must always be compliant, and your compliance must be validated annually.
What do I need to do to comply?
The basic 12 requirements for PCI DSS are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Does PCI DSS still apply to me if I use a Payment Service Provider (PSP)?
Yes. Using a third party company does not exclude a business from PCI DSS compliance. However, Swipen is able to assist you with compliance and offer advice.
What if I don’t keep or store credit card data?
If you accept credit or debit cards as payment, whether in-person or remotely, then PCI compliance applies to you. It may be easier to comply if you’re not storing card data at all, but for most businesses, this is not possible.
What are the penalties for non-compliance?
PCI is not, in itself, a law; the standard was created by the major card brands. However, should you choose not to comply, and you have a data breach or are hacked, you may be subject to hefty charges, card replacement costs, costly forensic audits, brand damage, etc. Outside of serious data breaches, you will also likely be charged a monthly non-compliance fee.
What are the PCI fees on my bank statements?
You’ll often see PCI fees on your bank statements. They may appear as ‘NON PCI GF’ or ‘PCI MONTHLY FEE’ or ‘DCC ACTUAL/POTENTIAL’ or ‘PCI NON-COMPLIANCE FEE/CHARGE’ or ‘SECURED PCI’, or something similar. These are all the same fee, charging you for PCI non-compliance. This charge is usually a set amount per month, but can also be a percentage of turnover. Unfortunately, you can end up paying quite a large fee each month.
The good news is that Swipen DOES NOT charge anything for PCI advice, assistance or for non-compliance, saving you money every month.