There are a ton of people out there who hear about hacking and assume that since they’re an average person at a small company, they’ll never have to worry about cybercrime. In their mind, as long as they protect their identity online and cancel any lost credit cards they’ll never have to deal with the hassles of practicing sound cybersecurity. Well, if you know any of those people, or happen to be one of them, there’s something you should know. Anyone with knowledge of the cybersecurity field will tell that no one can slack on their cybersecurity because everyone is a target.
Don’t believe it? Visa does. That’s why they recently changed PCI DSS to include level 4 merchants. What does that mean for you? It means that thanks to the high amount of cybercrime, most companies are now going to have to comply with PCI DSS code, and if you and your company don’t know what that means you need to keep reading unless you want to get caught off guard.
PCI DSS stands for payment card industry’s data security standard. In the early 2000s, online commerce and web infrastructure was kind of like the Wild West because of how new the internet on such a massive scale was back then. That meant that companies couldn’t reliably do business online or process credit card transactions, but that changed after Visa and other large credit card companies released the first version of PCI DSS in 2004. Ever since companies who wanted to do business with people who carried Visa cards had to be PCI DSS complaint. Compliance requirements under PCI DSS have always been less stringent for smaller companies and stricter for larger ones, but due to the rise in cybercrime and the effectiveness of modern breaches Visa just made a big change that everyone needs to know about.
Under PCI DSS companies have their own levels of compliance based on their merchant levels. The largest companies are level 1 while the smallest are level 4 with everyone else in between. In the past level 4 merchant’s compliance was simple, but as of January 31st they’re now required to fill out an annual self-assessment questionnaire and send it to their bank. In the past couple of months, level 4 merchants have discovered that filling out a SAQ is no walk in the park. Until recently, level 4 merchants were excused from filling out a SAQ because they can contain over 500 questions that cover everything from the name of the business to complex network infrastructure. That’s why it’s not uncommon for a company to spend weeks filling one out, and if they don’t whoever is in charge could be in big trouble. The consequences of failing to be PCI DSS compliant include audits, fines, and remediation costs, so when someone signs the dotted line they better be sure they’re 100% sure about their company. Perhaps the worst punishment of failing to be PCI DSS compliant is that if you’re found to be responsible for a breach where data was compromised you will be bumped up to a level 1 merchant, and that means you have to do the amount of work that a company who process more than 6,000,000 Visa transactions every year does even if you only do 15,000.
Don’t risk not taking PCI DSS compliance seriously. Small business all over are finding out that being compliant isn’t something you can do by simply Googling the answers. If you’re not a IT professional and your company is struggling to be PCI DSS compliant find someone who knows the ins and outs of compliance and hire them immediately. No matter what it costs you, it’s worth it considering the headache massive headache you’ll have to deal with if you fail.