PCI compliance is probably the last thing on your mind when running a business; but if you’re not compliant, it can cost you big time.
Failing to meet PCI standards for compliance, and experiencing a data breach, could cost your business between $5,000 and $500,000 per breach in penalties and you could be at risk of having your merchant account shut down. You could even be placed in the Visa/MasterCard Terminated Merchant File, making it challenging to obtain another merchant account for several years. It’s best to avoid these fines and challenges simply by being PCI compliant.
And we’re here to help you do that! Here are a few tips.
PCI Compliance Tip #1:
Your payment provider should have your status of compliance noted in your merchant profile. The first step is to contact your provider and ask if you’re PCI compliant and make sure they have your compliance certificate on file. Having worked with several hundred companies over the past few years, we have encountered inconsistencies within this compliance process. Oftentimes, a company conducts the PCI compliance tests and successfully passes, and yet their compliance certificate is simply not on file. When this happens, it can create unnecessary costs for a business, because the payment provider passes on the non-compliant fees to them. This should not be the case.
We don’t want to see this happen to you. The good news is, it’s an easy fix.
Simply contact the QSA (Quality Security Assessor) who performed your PCI compliance program, and request the certificate. Once received, send the certificate to your relationship manager, and follow up to ensure your merchant provider notes the submission on file. Double-check these records a few days later, to ensure this doesn’t happen again.
PCI Compliance Tip #2:
We recommend reviewing your billing statement for the upcoming month to ensure there are no non-compliance fees going forward. Most major PCI compliance companies work with all major payment providers, and in most cases automatically update the status on the back-end. Ask your merchant provider if they work with the QSA who performed your PCI compliance tests to verify that there is an existing partnership between the two.
PCI Compliance Tip #3:
Your PCI compliance status can be confusing if your company enrolls in the PCI compliance program, but doesn’t complete the evaluation. Some businesses believe that if they enroll in the program, they are compliant. This assumption is incorrect, yet surprisingly, we see this very often.
In order to receive a certificate of PCI compliance, a company must complete a questionnaire and pass an IP scan. If your business is in the “enrollment” state, contact your QSA to complete the questionnaire and IP scan. The evaluation may necessitate some adjustments to your businesses IT infrastructure; in some cases, your business may also need to involve an IT specialist to complete the necessary adjustments. Though this process may require some time and resources, it’s important to know that it eliminates many common vulnerabilities within your infrastructure.
Keeping criminals out and preventing a security breach are positive things!
The IT scan is conducted quarterly; keep in mind that once your business passes the initial scan, you must maintain your compliant status on an ongoing basis. The scan is automatically initiated, so don’t worry about calling the QSA to ensure that the procedure performed.
All major QSAs will automatically notify you if you don’t pass the quarterly scan, and support you through the resolution process. This is certainly helpful.
PCI Compliance Tip #4:
If your business has verified the status of non-compliance with your payment provider and you haven’t yet initiated the program, it’s time to contact a QSA. You can find a list of certified companies at pcisecuritystandards.org.
We highly recommend using only companies appearing on this list; if the QSA is not on this list, it means it’s not an official QSA. And it is not officially recognized, it cannot give you a PCI certificate. The QSA is the company that performs the certification for PCI-DSS compliance; there is no other way to obtain a PCI certificate. Keep in mind that your payment provider likely has its preferred vendors, but watch out for the costs. Some payment providers offer this for free, while some charge a fee.
If you’re a good negotiator, you can make sure you receive your PCI certificate as complimentary service.
Now that you know these four ways of ensuring you’re PCI compliant, follow the steps above, or contact Merchant Broker to a have payment security and PCI conversation.
We can certainly eliminate the legwork described above and properly support you through this process.