“You feel violated. Anger. There’s anger. For me, there’s anger. Some of the other people I talked to are afraid. I get mad. Somebody. Some clown stole from me ”
- Greg Scott, Credit Card Fraud Victim.
Credit card fraud remains the most common type of identity theft in the U.S., accounting for over 40 percent of all identity theft cases. A total of 271,823 cases were recorded in 2019, more than double the number reported in 2017.
Now, if you were an organization handling customers’ payments via cards or other electronic channels, you wouldn’t want them to feel violated, angry, or afraid, right?
All organizations want their customers to feel safe and protected. To provide a safe and secure environment for card-based transactions, a company needs to comply with the guidelines set up by the Payment Card Industry - Security Standards Council (PCI SSC). These guidelines are referred to as the Payment Card Industry - Data Security Standard (PCI DSS).
In this section, we’ll look at how PCI DSS has evolved over time to improve the security of card transactions.
With the rise in credit card fraud, the leading payment card brands such as American Express, VISA, MasterCard, JCB International, and Discover decided to set up a council in 2004. This council is referred to as the PCI SSC and the security guidelines set up by them are known as the PCI DSS.
PCI SSC is responsible for developing, enhancing, and disseminating international security standards for credit cards.
PCI DSS helps prevent payment card fraud and ensures that consumers’ personal information remains secure when merchants and service providers work with payment card data.
All companies that store, handle, or transfer cardholder data are subject to the PCI DSS. It is also applicable to all security service providers who protect cardholder data, such as a firewall management service. Even mid-sized businesses that collect, transmit, or store payment card data must abide by the PCI DSS requirements.
Today, almost every business handles payment processing, storage, or transmission of credit card data electronically. Be it eCommerce or retail, storing payment card data for subscription and recurring payments can make business much easier for both you and your customers. However, handling such data entails responsibility and a hefty expense for data protection.
Yes, if your company has to collect, store, or transfer PCI data, such as cardholder names or primary account numbers (PANs), then you must follow the PCI DSS rules without exception. However, if there is no PCI data in your Cardholder Data Environment (CDE), then PCI DSS compliance becomes optional.
The size of your business does not matter. What matters is the volume of debit or credit card payments your company receives annually.
Level 1 organizations require an external audit performed by a Qualified Security Assessor (QSA). Organizations in PCI Levels 2 through 4 can complete a self-assessment questionnaire (SAQ) instead of an external audit. They also need to submit an Attestation of Compliance (AOC).
Non-compliance to PCI DSS leads to several consequences, including:
PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by credit card companies. The volume of clients and transactions determines the level of PCI DSS compliance for a company and its corresponding penalties.
Although PCI DSS compliance does not prevent data breaches, organizations that fulfill PCI DSS requirements would incur lower fines. Whereas a business that is not PCI DSS compliant will have to face significant financial damages in a data breach:
You’ll likely face lawsuits in case any customer data gets compromised due to PCI DSS violations. In 2007, TJX Companies, best known as the holder of Marshalls and T.J. Maxx, had to pay $40.9 million for a data breach which put an estimated 100 million bank cards at risk.
Putting bank card information of clients at risk can result in irreversible damage to a company’s reputation, in addition to other related expenses incurred by the business. Failing to provide a safe and secure PCI environment will result in a lack of trust in your organization.
Non-compliance with PCI can also indirectly lead to revenue loss. In 2013, Target was charged $18.4 million for a data breach that affected more than 41 million customers. It resulted in a $440-million-loss of revenue in the first quarter following the breach. Even big enterprises with years of reputation are vulnerable to such losses. So, the overall impact of being PCI non-compliant can be huge for mid-sized businesses.
In this section, we look at some of the key requirements that organizations need to fulfill for PCI DSS compliance.
Step 1: Determine which PCI compliance level you belong to based on the number of annual transactions.
Step 2: Fill out the PCI compliance SAQ based on charts available on the PCI DSS official website.
Step 3: Investigate your payment technology.
Step 4: Create and document compliance processes.
Based on the SAQ and investigation of already existing payment technology, make amends to adhere more closely to the PCI DSS guidelines. Document the same in detail for future references.
Step 5: Complete your attestation of compliance.
AOC is a form that merchants use to record the successful completion of their PCI DSS assessment. In other words, an AOC is a paperwork that lets PCI SSC know you’re abiding by the rules. Be sure to have a qualified security assessor review your work so that they can confirm your findings.
Step 6: Prove your compliance with PCI standards with a vulnerability scan.
Step 7: Submit PCI compliance documentation.
Step 8: Track and test your systems.
The cost of getting PCI DSS certification depends on a lot of factors. One of the key factors that affect it is the level of compliance required and the environment in which your organization operates. An overview of the annual costs involved in implementing PCI DSS is as follows:
Accounts receivable automation and the use of electronic, cloud-based solutions lead to efficient back-office operations, saving time and money. To ensure accounts receivable operational efficiency, the CDE of any organization, irrespective of its size, will have access to PCI data for recurring transactions. Without PCI DSS compliance, accounts receivable cannot be handled efficiently. Being PCI DSS compliant leads to faster and improved payment processing and a better customer experience. Hence, PCI DSS compliance has a noticeable positive impact on accounts receivable handling and related processes.
Being able to handle a customer’s card information securely provides an environment of trust and makes payment processing easier for businesses. In addition to online payment methods, a safe and secure CDE is imperative for most businesses today, irrespective of their transaction volume. Being PCI DSS compliant is one step to ensure that. Solutions like RadiusOne eInvoicing and Collections App minimize compliance risk with an in-built PCI DSS compliant payment gateway.
The HighRadius RadiusOne AR Suite is a complete accounts receivable solution designed for mid-sized businesses and SMBs to automate eInvoicing, Collections, Cash Reconciliation, and Credit Risk Management to enable faster cash conversion and maximize working capital.
It is quick to deploy and ready to integrate with ERPs like Oracle NetSuite, Sage Intacct, MS Dynamics, and scales to meet the needs of your order-to-cash process.
Lightning-fast Remote Deployment | Minimal IT Dependency
Prepackaged Modules with Industry-Specific Best Practices.