PCI compliance is required, but validation is often left to merchants.
PCI compliance is required for all businesses. However, validating PCI compliance may not be required for many businesses.
The burden of validating PCI compliance for a large segment of businesses is the responsibility of individual acquirers, processors and merchant service providers.
What is PCI?
PCI stands for "Payment Card Industry," and it's actually the first part of two-part acronym that refers to security guidelines for businesses that accept credit cards. The full acronym is PCI DSS, which stands for "payment card industry data security standard."
PCI DSS provides businesses that accept credit cards with guidelines and an actionable framework to protect cardholder data. PCI DSS is governed by the PCI Security Standards Council, and it was originally created using information from Visa's Cardholder Information Security (CISP) program and MasterCard's Site Data Protection (SDP) program.
Is PCI Compliance required?
PCI compliance is required for all businesses that accept credit or debit card payments — even for businesses with very little volume. However, only larger merchants are required to have PCI compliance validated by a qualified security assessor (QSA).
Small businesses are supposed to be PCI compliant, but it's up to the business's credit card processor to check.
The PCI Security Standards Council explains PCI requirements best in the following excerpt from its PCI FAQs:
"All merchant that stores, processes or transmits cardholder data must be compliant now. However, as a Level 4 merchant, you will have to refer to your merchant bank for its specific validation requirements and deadlines."
Essentially, the current validation guidelines open the door for merchant service providers to take a "don't ask, don't tell" approach to PCI compliance validation.
Merchant Levels & Compliance
PCI guidelines separate businesses into four levels depending on the number of transactions processed annually and the method used to transmit cardholder information.
Most businesses are classified as PCI level four, which is the least scrutinized level for businesses that process fewer than 20,000 e-commerce transactions and fewer than one million retail transactions annually.
For these merchants, it's up to individual processors and merchant service providers to determine validation requirements, or whether to validate PCI compliance at all.
Processor Approaches to PCI Validation
Not surprisingly, processors and merchant service providers have taken several different approaches to validating PCI compliance — some better than others.
Compliance Support & Required Validation
Some large processors, such as First Data, require all businesses to validate PCI compliance, and provide PCI support programs to help businesses become compliant. These support programs typically carry some sort of annual or monthly fee.
Businesses that have not validated compliance are typically charged a PCI non-compliance fee that's meant to serve as a reminder to become compliant.
First Data and other processors that have taken it upon themselves to require compliance from businesses also allow merchant service providers that use their processing services to maintain their own in-house compliance validation programs. The fees and requirements for such programs are left to the discretion of each provider so long as businesses validate compliance.
Merchant Service Provider Discretion
Currently, the most popular approach that large processors take to PCI is to leave compliance validation up to merchant service providers. This approach passes the PCI buck one more level, and opens the door for the provider to let businesses handle PCI validation on their own terms.
Merchant service providers that don't check validation aren't necessarily being irresponsible or devaluing the importance of PCI compliance. In fact, this approach is beneficial for businesses in a number of ways.
Freedom to Choose Vendors
PCI has created a cottage industry of scanning vendors, consultants and qualified security assessors, each with their own rates and fees. By allowing businesses to validate PCI on their own terms, merchant service providers make it possible for businesses to shop for vendors that closely match their needs.
Lower PCI Expense
Merchant service providers that provide a mandatory PCI validation service charge all businesses the same fee for the program. However, the cost of PCI compliance and validation is much less for retail businesses than it is for e-commerce business.
This leaves retail businesses paying more than their fair share for PCI validation, and e-commerce businesses paying less.
Merchant service providers that allow businesses to handle PCI validation themselves ensure that the price a business pays for validation is relative to how it processes credit cards.
PCI Increases Cardholder Security
The point of PCI is to ensure businesses are taking the necessary steps to safeguard credit card information. It's important -- especially for e-commerce businesses that transmit cardholder information electronically.
Merchant service providers that don't check validation are assuming a business will validate on its own. Of course, this doesn't happen 100% of the time, and PCI non-compliant businesses will slip through the cracks.