PCI Compliance is Required – Soon, Validation Will Be, Too
PCI compliance is required for all businesses, but until January 2017, validation has not been required for all business types. However, Visa has issued new rules requiring validation for all businesses starting in January of 2017. You can read more about it, including details on Qualified Security Assessors, in this article.
The burden of validating PCI compliance for a large segment of businesses is the responsibility of individual acquirers, processors and merchant service providers.
What is PCI?
PCI stands for "Payment Card Industry," and it's actually the first part of two-part acronym that refers to security guidelines for businesses that accept credit cards. The full acronym is PCI DSS, which stands for "payment card industry data security standard."
PCI DSS provides businesses that accept credit cards with guidelines and an actionable framework to protect cardholder data. PCI DSS is governed by the PCI Security Standards Council, and it was originally created using information from Visa's Cardholder Information Security (CISP) program and MasterCard's Site Data Protection (SDP) program.
Is PCI Compliance required?
Yes, PCI compliance is required for all businesses that accept credit or debit card payments — even for businesses with very little volume.
Merchant Levels & Compliance
PCI guidelines separate businesses into four levels depending on the number of transactions processed annually and the method used to transmit cardholder information.
Most businesses are classified as PCI level four, which is the least scrutinized level for businesses that process fewer than 20,000 e-commerce transactions and fewer than one million retail transactions annually.
For these merchants, it has traditionally been up to individual processors and merchant service providers to determine validation requirements, or whether to validate PCI compliance at all. However, in January of 2017, Visa will being requiring validation for all businesses, including level four merchants.
Processor Approaches to PCI Validation
Not surprisingly, processors and merchant service providers have taken several different approaches to validating PCI compliance — some better than others.
Compliance Support & Required Validation
Some large processors, such as First Data, require all businesses to validate PCI compliance, and provide PCI support programs to help businesses become compliant. These support programs typically carry some sort of annual or monthly fee.
Businesses that have not validated compliance are typically charged a PCI non-compliance fee that's meant to serve as a reminder to become compliant.
First Data and other processors that have taken it upon themselves to require compliance from businesses also allow merchant service providers that use their processing services to maintain their own in-house compliance validation programs. The fees and requirements for such programs are left to the discretion of each provider so long as businesses validate compliance.
Merchant Service Provider Discretion
Currently, the most popular approach that large processors take to PCI is to leave compliance validation up to merchant service providers. This approach passes the PCI buck one more level, and opens the door for the provider to let businesses handle PCI validation on their own terms.
Merchant service providers that don't check validation aren't necessarily being irresponsible or devaluing the importance of PCI compliance. In fact, this approach is beneficial for businesses in a number of ways.
Freedom to Choose Vendors
PCI has created a cottage industry of scanning vendors, consultants and qualified security assessors, each with their own rates and fees. By allowing businesses to validate PCI on their own terms, merchant service providers make it possible for businesses to shop for vendors that closely match their needs.
Lower PCI Expense
Merchant service providers that provide a mandatory PCI validation service charge all businesses the same fee for the program. However, the cost of PCI compliance and validation is much less for retail businesses than it is for e-commerce business.
This leaves retail businesses paying more than their fair share for PCI validation, and e-commerce businesses paying less.
Merchant service providers that allow businesses to handle PCI validation themselves ensure that the price a business pays for validation is relative to how it processes credit cards.
PCI Increases Cardholder Security
The point of PCI is to ensure businesses are taking the necessary steps to safeguard credit card information. It's important -- especially for e-commerce businesses that transmit cardholder information electronically.
Merchant service providers that don't check validation are assuming a business will validate on its own. Of course, this doesn't happen 100% of the time, and PCI non-compliant businesses will slip through the cracks.