The PCI DSS, which stands for Payment Card Industry Data Security Standards, is a set of requirements designed to protect cardholder data wherever it is processed, stored or transmitted. These standards were developed in 2006 by the five founding global payment brands - American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – and they are administered and managed by the Payment Card Industry Security Standards Council.

Yes, all merchants, regardless of size, that store, process or transmit cardholder data must comply with the Payment Card Industry Data Security Standards. All businesses are susceptible to breaches. Small businesses are often the most vulnerable.

No. Securing your business is an ongoing process. The Payment Card Data Security Standards are enhanced periodically to protect your business from a breach. Unfortunately, threats from thieves and hackers are constantly evolving. Keep in mind that your business practices may change over time and the practices you use to protect your customers’ credit card information may need to be adjusted to follow these changes.Every merchant is required to complete a self-assessment questionnaire at least every 12 months. Additionally, merchants that require a network vulnerability scan must complete the scan at least every 90 days.

As a merchant that stores, processes or transmits cardholder data, it is your responsibility to be PCI compliant. You have 30 days from the date of enrollment into the PCI Smart program to validate compliance. If you have any questions regarding your date of enrollment, you should contact the PCI Helpdesk for further assistance.

Per the major card associations, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in your business, you could be liable for at least the cost of the required forensic investigations, as well as covering the costs of fraudulent purchases, and the costs of re-issuing the stolen cards. Beyond the direct fines, your business could also lose credit card acceptance privileges, at least for a period of time. Furthermore, you may also experience a loss of customer confidence as customers discover your business is not doing as much as others to protect their private information.