Many businesses believe they do not require the need to become PCI compliant. However, anyone or any business that uses credit or debit cards transactions involving a point of sale device is often more at risk than those who store, processes or transmits cardholder data.
This is a very common misconception. Merchants also make the mistake of thinking because they are a small firm, being PCI compliant is not a necessity. In an actual fact, it is the payment brands themselves who enforce the PCI standard for merchants and service providers, regardless of their size.
Although merchants who process less than $20,000 in transactions a year are generally not required to seek compliance validation, the PCI compliance obligation remains, as does the consequences if your company data, including processed information, is stolen or compromised. Thus, if these regulations are not followed, companies who store, process, or transmit any information recorded on a credit or debit card face significant fines, higher opex costs, and potential suspension or expulsion from card processing networks.
What is most concerning, is the fact that businesses forget this encompasses the handling of data while it is processed or transmitted over networks, phone lines, faxes, etc. Even though your firm may not store credit or debit card data, the majority of the controls dictated by the PCI standard remains in effect. To completely avoid PCI compliance altogether is to transfer the risk entirely to someone else such as PayPal. The company’s website standard service is where customers interact with the PayPal software directly and credit card information never traverses your own servers.This can only be done through forwarding customers to PayPal’s servers. If your website integrates with PayPal however via an API, then you still need to be PCI compliant as your servers receive credit card information first.
If in any case, you are not PCI compliant and experience a breach and therefore fail to prove your continued compliance with the PCI standards, you will be forced to cover charge-backs, have your credit card processing suspended, escalate into a higher compliance tier and be required to pay tens of thousands in annual compliance auditing costs.
For more information or to find out if your business is PCI compliant and how to become compliant, contact us.