PCI Compliance Makes Good Business Sense

Credit card fraud is one of the most common forms of identity theft going on today. Billions of dollars are lost every year due to this problem, and those billions are coming out of everyone's (merchants and consumers) pockets. Something needed to be done to help guard sensitive information and maintain the integrity of the system.

The PCI DSS was introduced by the five major credit card companies to stem the growing tide of credit card fraud. PCI compliance is required for any merchant who conducts credit card transactions or stores or transmits sensitive information. Originally, these companies all had their own standards that merchants were supposed to adhere to, but they realized that a single standard was in their best interests as well as those of the merchants.

So what does PCI compliance entail? There are 12 separate requirements, and those requirements consist of more than 200 individual security controls. In summary though, these requirements center around protecting sensitive data. This means collecting and storing information on highly secure systems. This information also has to be tracked and actions taken on it must be logged for future analysis.

Monitoring and alerting is also an important aspect of PCI compliance. You must always be aware of possible threats to your system and how to detect and react to them if something does happen to your information. Knowing how to cope with problems is one of the most important things a merchant can learn. After all, what good is detecting problems if you are unsure how to resolve them?

To encourage PCI compliance the credit card industry has instituted a range of penalties and fines that can be very costly for a merchant. But these are just the beginning. If a merchant were to suffer a breach, the damage done to their reputation could be irrevocable.

Consider the example of the TJX company. Between July 2005 and December 2006, they suffered one of the worst breaches in U.S. history. Hackers compromised an estimated 45.7 million credit and debit cards. There was also another 455K returned merchandise records compromised, which included customers' driver's license numbers.

The estimated costs for the breach was around 118 million dollars, though outside sources put that figure in the billion dollar range when all the legal fees, call center costs, and other fines were taken into account.

For years now, large companies have been reporting severe breaches in their security, and customers and the Payment Card Industry are becoming very weary. PCI compliance is necessary because it helps merchants recognize all the avenues a criminal might employ to attack their systems. Because, after all, it wasn't that these large companies actually lacked security. In fact, they probably had very good security. They simply weren't prepared to deal with all the areas of possible threat.

But PCI compliance isn't just for large companies. In fact, studies have shown that hackers are increasingly targeting smaller businesses. These small businesses are tempting targets, specifically because their security measures are often not up to the right standard. And even though this may yield fewer credit card numbers since the company doesn't do as much business, if they hit enough companies such as this, things can become very profitable very quickly.

Large or small, PCI compliance is good business sense. A huge company like TJX will be able to weather the financial troubles, but a small one won't. But more than that, there's an issue of trust. How many consumers will think twice about shopping at a store that has a huge breach in their history? Again, a national chain will probably survive, but not all of them.

PCI compliance means security for you and peace of mind for your customers. In the end, it's just good business sense.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about how to achieve PCI compliance, or other data security measures, visit Braintree Payment Solutions today.