If you are a merchant running a business that accepts credit cards, by now you have at least heard of the payment card industry data security standard or PCI DSS. If your business isn’t PCI compliant then you and your customers are at greater risk than they should be. If your business isn’t PCI compliant by now, you are also about 3 years behind the times. PCI compliance became a mandatory requirement at the beginning of 2009 and merchants can be fined by the payment card industry security standards council up to $25 per month, every month until PCI compliance is achieved. The potential industry fines however, pale in comparison to the immediate and collateral damage that accompanies a breach of sensitive authentication data. Following a data breach the merchant is responsible for all loss of revenue due to fraud on the stolen data (though this may not come to light for some time), not to mention the cost of breach containment, the required investigation(s) and of course, plenty of legal fees. Oh, and did I mention the permanent loss of angry customers, and their friends? Even if you survive the onslaught of fines and fees, can your business recoup its reputation?
Does any of this sound scary? Think it can’t happen to you? While it’s true that the data breaches you hear about are giant banks and financial institutions, attractive to thieves for the sheer volume of money to be stolen, small businesses are fast becoming a favorite target of the common hacker. Why, you ask? Precisely because so many small merchants believe their business to be beneath notice and therefore don’t bother with PCI compliance, or any other data security measures beyond a deadbolt on the front door. Problem is, these data thieves don’t need to get in your door to rob you (and your customers) blind. They do it remotely from the comfort of their own homes.
Regardless of your current PCI compliance status however, there is a new version of the self assessment questionnaire as of January 1st, 2012: SAQ version 2.0. Make sure you use this version for any initial PCI compliance validation or renewal of current PCI compliance validation. If you completed the old version, SAQ version 1.2, any date in 2011, your compliance is considered valid until its expiration, usually one year from the completion date. Most processors include some level of monetary reimbursement or breach coverage, provided the merchant had a valid PCI Compliance registration at the time of the breach, that can be applied to certain fines or legal fees the merchant will incur. This site can show you how to easily and correctly get your business PCI Compliant, and best of all, it’s free!