What is PCI and why is it important?

With the starting gun of Black Friday days past, the holiday shopping season is in full swing. Across the country, consumers will be striving to swipe their cards in retail establishments for the rest of December.  With more purchases comes more fraud, the the Payment Card Industry Data Security Standard (often "PCI DSS" or just "PCI") is in place to protect consumers and their card brands. This article will discuss a bit about what PCI is to a small business owner and why certain elements are very important to understand.

What is PCI? It's a set us rules about how a merchant must keep customers' credit card data safe.  The rules cover the types of security and storage that must be in place on computers and servers that store credit card data. For example, there are rules that specify where anti-virus software must be installed, where encryption must be used and what other testing must be done.  The rules do not guarantee that a hacker can't steal your customers data, but they do create a rather secure structure that minimizes they chances that data can be stolen.  When you comply with the rules, you also avoid some huge fines and penalties if your customers' data is stolen from you. Nearly all losses are from companies that are not PCI compliant.

Who has to be PCI compliant?  Everyone. Regrettably many more people are required by the card brands (AMEX, Visa...) to be compliant then know it.  The rules are pretty simple, but there is often much misinformation about who has to reach what compliance standards. In a nutshell, the rule is that anyone that touches credit card data has to be compliant. Furthermore, the rules about how to be compliant are the same for Wal-Mart and the one-man shop on Main St. The misinformation comes in the number of transactions that a company processes and what they have to do to demonstrate compliance.  Essentially, large merchants must hire expensive outside auditors to annually certify that the rules are met while small merchants should internally certify they are compliant with a "self compliance" statement they sign annual.  Many don't even do that.

So what is a small business to do? In my experience, I find that small businesses typically end up in the first two of the following three possible scenarios:

1. Ignore the rules altogether - While being in business in about personal financial reward for entrepreneurial risk, most of the people that take the risk of ignoring the rules, don't realize the size of the risk they have taken on.
   
2. Outsource your compliance - when you hire a third party to take care of your entire card processing workflow, you let them focus on compliance (for you and all of their other customers) and you can rest assured that if your system is hacked, there is no customer card data to be stolen. If you have a handheld card reader next to your cash register, you may already be doing this.
   
3. Become internally compliant - it's nice to think that a leader can just say "we are going to be PCI compliant this year", but it typically takes a team of experts to implement a plan.  Most business leaders will be shocked at the actual cost of doing this.