The Payment Card Industry Data Security Standard (or PCI-DSS) is a set of security standards that protect credit and debit card data. Put plainly, these standards try to keep consumer data from becoming vulnerable. In the wrong hands, a credit card number and security code can lead to fraud, identity theft, and other financial devastation for a consumer (and the credit card company).
The PCI-DSS rules are not mandated by federal law. However, the Payment Card Industry Security Standards Council that governs them makes sure all credit card merchants are bound to them by contract. Basically, if you agree to accept credit card payments, you are agreeing not to play fast and loose with consumer data.
Where do you come in as a home services business? If you accept debit and credit card payments, the PCI standard applies to you as an organization that stores, processes, or transmits credit card data. Fail to meet the rules of PCI-DSS, and you could be greeted with unwelcome PCI non-compliance fees and other legal consequences. Here is a breakdown of how PCI-DSS compliance began, why it’s so important, and how to avoid costly non-compliance penalties.
PCI Non-Compliance Fees: What They Are and How to Avoid Them
Why PCI Compliance Exists
Between 1988 and 1998, Visa and Mastercard lost a combined $750 million to fraudulent credit card use. They weren’t happy about it. By the early 2000s, the two credit giants had combined forces with the other major credit card companies to establish a governing body for their industry — complete with payment security rules for merchants. Beginning in 2005, all merchants were held accountable to the new data security standards.
The PCI-DSS standards have been revised several times, with the most current version being 3.2.
While the origin of PCI-DSS was in the spirit of protecting credit card companies, the standards also serve consumers. Adding chips to payment cards has decreased the amount counterfeit credit card use in the US, but card not present (CNP) fraud is climbing. These transactions happen when the account holder doesn’t have to hand over their physical card to make a purchase — such as when they’re making an online purchase. Keyed in transactions are also considered a CNP payment. Making sure your company handles card numbers safely means fewer cases of CNP fraud on your watch.
Knowing the Data You’re Protecting
What exactly are you responsible for protecting as a merchant? If you thought only the credit card number was worth securing, you’d be wrong. There are many elements of a payment card that you must safeguard as a merchant when you are transmitting credit card information to your processor. You shouldn’t be storing any consumer card information on your own computer at all.
Not only does storing payment info make it more likely that you’ll fall victim to a harmful hack, but credit card companies who discover you’re doing it may have a lot of questions about the security of your digital infrastructure. You probably don’t have the necessary security on your laptop to store credit card numbers after a purchase. PCI-DSS compliance requires you ensure secure transmission of:
- Primary Account Number: The PAN is the long number across the front of the card. You probably just call it the credit card number.
- Chip Data: Chips have made credit cards much more secure overall, and this makes their date a prime target.
- Magnetic Strip: The magnetic strip on the back of a credit card can be cloned to create a second card. Securing your POS machines is the best way to avoid breaching strip data.
- Expiration Date: The expiration date, when combined with the PAN, is a powerful piece of information to a hacker.
Authentication Number: Each card has a three-digit number on the back, usually in the signature panel. It’s required for online purchases, so it is a hot commodity for people seeking to clone a card.
How Do Companies Remain Compliant?
The PCI non-compliance fee penalty is no joke. Thankfully, you can take decisive action to avoid falling into the non-compliance trap. While there are over 300 requirements for total compliance, they are divided into just a dozen sections. Many of the more technical requirements will be met by your payment processor, but your small business must take control of certain aspects.
Here are some of the ways your home services business should set up their payments and online security so they don’t run afoul of industry standards:
- Build a secure network by using a strong firewall on all of your business computers and point of sale (POS) registers.
- Create complex passwords for all systems and programs on your company devices.
- Never transmit credit card data across unsecured (not password protected) online networks.
- Encrypt credit card data before it is transmitted.
- Use anti-virus and malware detection software on your computers and POS devices to ward off fraud and detect hacks early.
- Restrict access to consumer data to only employees who absolutely need it.
- Don’t create physical copies of customer credit card data that could be found or handled by unauthorized personnel.
- Test your computers and POS devices regularly to check for security breaches and potential problems.
Consumers and credit card companies are counting on you to handle credit data properly. Make sure your own machines and networks are not vulnerable to hacking. The following payment related tools and systems must be PCI-DSS compliant:
- Mobile Card Readers
- Point of Sale Registers
- Paper Payment Records
- Internet Networks and Wireless Routers
- Online Shopping Carts
One other — and important — note is that there are different levels of compliance required within the PCI-DSS structure. In all likelihood, your home services business will need to meet Level 4 standards. This tier is applied to all merchants who process fewer than 20,000 transactions per year (up to $1 million). The top tier possible is Level 1, which applies to businesses who process more than $6 million in transactions per year.
Dealing with PCI Non-Compliance Fees
If you’re not a rule follower by nature, the heft of PCI non-compliance fee penalties will motivate you to take credit card security more seriously. The fees assessed are designed to help credit card companies recover money your non-compliance cost them, but they also serve as a punitive lesson. Here are just a few of the financial consequences that could rain down if you are discovered to be in violation of PCI-DSS.
- Monthly penalties up to $100,000. While most small business PCI compliance issues won’t result in fees this high, you could still face major monthly fees as a Level 4 merchant. The fees are assessed based on the number of months that you were not in compliance.
- Per-card fees of up to $90. If you run 100 credit cards during a period where you’re not meeting compliance rules or you experienced a breach even while in compliance, you’re looking at a big bill. These fees are often assessed by your banking institution, and could include chargeback costs.
- Paying for customers’ credit monitoring and other identity theft prevention. If your customers may have had their data breached, you will be responsible for any costs associated with their identity protection for the next year or so.
Other Non-Compliance Consequences
Just when you thought the costs of non-compliance were astronomical, here come the other legal consequences and negative outcomes. Even if your processor is ultimately held accountable for the non-compliance fines, any company that is not keeping their credit data secure enough may face:
- Severed relationship with your bank. If you are storing credit card data on your own unencrypted network or doing other non-compliant activities, you risk ruining the relationship with your bank and credit card processor. They may terminate your contract.
- Lawsuits. You could also face legal action from customers and/or processors for breaking the rules you agreed to as a credit card merchant.
- Damaged reputation. If one customer gets their information stolen after doing business with you, they may tell ten friends. The truth is that most consumers are more apt to share a negative review than a positive one.
- Lost revenue. When you lose customers because of stolen credit card data, you lose revenue.
Reducing Your Up-Front PCI-DSS Compliance Costs
One way to mitigate PCI compliance cost is to do business with a payment processor that is certified. Most home services businesses are simply not equipped to deal with their own PCI security — and there is no reason to. Any reputable credit card processor (think Braintree or Square) will be transferring your customers’ credit card data over secured servers and creating digital silos for stored information.
Your payment processor will typically bake the price of PCI compliance into the price of your services. There won’t be one price for a non-compliant account and another for a PCI-compliant plan. That being said, don’t be shy about interrogating a potential payment processor like Clover or Stripe about how they keep consumer data safe and meet security standards.
The art of secure payment processing is as intricate as it is essential. The average small business doesn’t know where to begin with securing payments, yet you’re held to the same PCI-DSS standards as a big brand company. Sign up with a payment processor who is completely compliant, and you have made a significant step toward due diligence to remain on the up and up.
Do you still have questions about how to safely transmit consumer data? At Housecall Pro, we can connect you with a secure app for everything from scheduling appointments to process payments. With all of your information in the same secure app, you can conduct business with peace of mind.