Why Should Small Business Owners Be Concerned About PCI Compliance?.

The Payment Card Industry Data Security Standard (PCI DSS) is a collection of security guidelines meant to ensure that firms that accept and process credit and debit card data do so in a safe and secure manner.

If you take card payments and process, send, or store cardholder data, you must host your data securely with a PCI compliant hosting provider, regardless of what industry you're in or how big your company is.

In 2006, the five largest credit card brands — American Express, Visa, MasterCard, Japanese Credit Bureau (JCB), and Discover — created the PCI Security Standards Council.

While each credit card company has its own compliance programme, all of them are built on the PCI standards.

While the Council has no legal authority, if your company wants to take credit or debit card payments, it must comply with PCI guidelines.

PCI Compliance stands for Payment Card Industry Data Security Standard.

PCI is made up of a set of 12 individual requirements that are divided into six categories. The main goals are to increase payment security and to educate merchants on how to improve their security.

This entails establishing and maintaining a secure network, safeguarding cardholder data, and testing and monitoring networks on a regular basis.

There are four tiers of PCI compliance, depending on the number of transactions your company makes in a 12-month period. The total number of Visa transactions made by a merchant doing business as 'DBA' is referred to as transaction volume. This includes credit, debit, and prepaid card transactions.

If you sell under many DBAs, your validation level should be based on the total volume of transactions handled, saved, or communicated.

Your firm will have fewer PCI requirements and will be classified as Level 4 if it conducts 20,000 transactions or less per year, or if card data is processed primarily by vendors such as shopping card providers.

You will be rated as Level 3 if your company processes between 20,000 and 1 million transactions per year.

Level 2 businesses process between 1 and 6 million credit card transactions in a 12-month period.

Each level introduces a new set of compliance criteria.

Businesses conducting 6 million or more transactions per year or holding their own card data, developing their own code, and maintaining their own servers are subject to the most stringent compliance standards at Level 1.

How Much Will PCI Compliance Cost My Company?

An Approved Scanning Vendor must perform a website or network scan on a level 4 business that has credit card data stored electronically on its site or processing systems with online connectivity.

A Self-Assessment Questionnaire and an Attestation of Compliance must also be completed by the company's employees. It might be as low as $60 per month.

If your company is at Level 3, the cost of a regular website or network scan by an Approved Scanning Vendor, as well as the completion of the yearly Self Assessment Questionnaire and Attestation of Compliance, could total $1,200 each year.

Depending on the number of IP addresses and the size of your network, this cost could range from $10,000 to $50,000 per year for Level 2 organisations.

Costs for Level 1 PCI compliance can range from $50,000 to $100,000, and include not only a regular network scan by an Approved Scanning Vendor, but also an Attestation of Compliance and a yearly Report of Compliance by a Qualified Security Assessor.

What Can My Company Do to Comply with PCI Requirements?

No matter what category your organisation is classed at, you'll need to obtain frequent website or network scans done by an Approved Scanning Vendor to ensure PCI compliance. Level 1 businesses will also require the assistance of a Qualified Security Assessor to conduct annual on-site assessments.

Meeting PCI compliance criteria fully requires just the aid of an Approved Scanning Vendor and some work by your own team for small firms doing fewer than 6 million credit and debit card transactions each year.

For further information about how Cyborgenic can help reduce and identify risk to your company please contact me on sales@cyborgenic.com.