What is PCI and Why Do You Need to Be Compliant?
You may be familiar with a PCI compliance fee (or sometimes called a non-compliance fee) associated with any merchant account you would sign up for. Unlike other services, this line item will not change depending on the type of package you get as it is essential for maintaining your merchant account. But when you pay this annual fee, what is it actually doing? First off, PCI stands for the Payment Card Industry, which sets a certain security standard that any merchant must be up-to-date with. Being PCI compliant would therefore apply to anyone that processes, stores, or transmits credit card information. If you have a merchant ID, then you fall under this category! While the PCI sets that standard, it is up to the merchants—not the credit card brands—to take the right security measures, so having a merchant account allows the credit card processing company to stay compliant for you. In addition, your business will fall into one of four PCI compliance levels, judged by how many Visa transactions you are processing within a 12-month period. These four levels are listed below, as lined out by the PCI DSS:
Level 1—any merchant, regardless of acceptance channel, processing over 6 million Visa transactions per year.
Level 2—any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa transactions per year.
Level 3—any merchant processing 20,000 to 1 million Visa e-commerce transactions per year.
Level 4—any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1 million Visa transactions per year.
Based on these levels, those processing more transactions will be held at a higher validation level. It is important to note that having an SSL certificate, even a high assurance SSL certificate, is not enough to ensure compliance. At the most it can confirm a secure connection between the customer’s browser and the web server in addition to validating the website operators are a legitimate and legally accountable organization. To be fully PCI compliant, however, companies must also complete a self-assessment on their business as well as passing a vulnerability scan, if applicable.
At the end of the day, merchant accounts require a small annual fee to keep your business PCI compliant. Since this is a standard set by all major card brands, failing to stay compliant can result in fines from $5,000 to $100,000 per month from an acquiring bank. You can be sure the bank will pass these fees on to you, the merchant, in addition to other penalties from the bank including increased transaction fees or termination. The best way to avoid that? Make sure you have a merchant account with a trusted credit card processing company so PCI non-compliance is something you never have to worry about. Find more information about the PCI DSS here.