PCI Non-Compliance Issues and Penalties.

Though the Payment Card Industry Data Security Standards (or PCI DSS) applies to every merchant who accepts payment cards, many merchants lack a comprehensive understanding of what PCI is, or how it’s enforced.
Unfortunately, this puts these folks at a serious disadvantage when it comes time to make decisions around PCI compliance – a particular problem for new or aspiring business owners.
So how can you explain PCI compliance and penalties to a beginner? Below are four key points to convey.

1) PCI is a set of industry rules – not a law.

One common misconception is that PCI originates with the government, like other security requirements such as HIPAA. But it’s important to note that PCI is a creation of the payment card brands.

2) Non-compliant merchants are penalized by their acquiring banks.

If a merchant experiences a security breach and is found to be non-compliant with PCI rules, they may be subject to fines. Those fines may be steep, too. Depending on the circumstances, merchants might have to pay anywhere from $5,000 to $100,000 every month until they address all compliance issues. If they don’t resolve the problem satisfactorily, they could even have their ability to accept cards revoked.

3) Acquiring banks determine how a merchant must demonstrate compliance.

Since banks are responsible for enforcing PCI compliance, they can decide how they wish to verify a merchant’s compliance (and how they penalize non-compliance).

4) PCI compliance rules can be a useful resource.

It’s not unusual for business owners to feel frustrated by rules and requirements like PCI. Few get excited by additional obligations that call for spending more time and money. But the most productive way for merchants to think about PCI is as a set of continuously evolving security best practices.