The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
Motivation to become compliant? The incentives include a 'Safe Harbour' from certain penalties and fines if a merchant is compliant at the time of breach.
PCI Compliance is required for any company which sees, processes, holds or handles debit or credit card details in an electronic form, which could apply to your website, your retail shop and/or your office. In practice, this means any company which has a merchant bank account.
This applies if you take payment by card in your shop, or over the phone, or using a virtual terminal, or on your website using Fat Zebra. If you take payment on your website using PayPal or Google Checkout, then the answer is no, as you don't have a real merchant bank account.
The standards can be found on the PCI DSS website.
Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
PCI Compliance has two parts: a questionnaire about how you protect the card data you handle, and sometimes a software scan on your website, office and/or shop to make sure it is secure. The questionnaire and scan basically ensure you meet the list of PCI requirements, which include things like having a secure network, regular testing and a security policy.
If you have an Internet Merchant Facility, your bank may eventually start fining you until you are compliant, or put a freeze on your account until you become compliant.
Should your website or application be hacked, and card details are stolen, you may be liable for crippling fines and asked to conduct a full PCI Audit by a QSA before your bank allows you to start taking payments again.
Updated almost 2 years ago