The payment card industry needs to ensure people do not lose faith in their system. If too many merchants and consumers are hit by credit card fraud, then they may stop using cards altogether.
Obviously, the industry doesn’t want this to happen. That’s why it created the PCI DSS security standard. PCI DSS sets a security baseline to protect cardholder data.
So banks want you to comply with the rules, right? Not necessarily, and especially not if you are a small merchant.
Acquiring banks, the ones that sign up merchants to process credit cards, are responsible for getting their merchants compliant. However, they can charge higher fees to the merchants who do not comply. Therefore they are not motivated to help small merchants like you.
The higher fees may show up as monthly, quarterly, or annual administrative fees in your statement. They may not show as related to non-compliance, even if that’s the cause. Review your next statement carefully.
Penalties for PCI DSS non-compliance are issued by the card brands to the banks, but the banks do not pay them. The fines are passed on to you, the merchant.
So although the banks are responsible to get merchants compliant, they do not suffer the consequences if they fail. Paying the fine is your problem, so the banks are not motivated to worry about it.
Small and medium businesses are known as Level 4 merchants, those who process fewer than 20,000 card transactions annually. Banks do not consider these merchants a priority.
Banks are more concerned with getting their major retail customers compliant. Companies like Target and Home Depot are larger sources of revenue for them. They cannot afford to lose a large customer to another bank that provides more assistance. But they can afford to lose thousands of small customers like you before it hurts.
The incentives are not in place for acquiring banks to help small merchants get compliant PCI DSS security. So what should you do? Achieve compliance anyway!
Compliance may help lower your processing fees and avoid penalties should a breach occur. It will also set you on a path toward better security, one that can help you protect customers, minimize network disruptions, and increase your returns on the investments you’ve made in technology.
PCI DSS for IT Providers: The rules and impact on MSPs and VARs
PCI DSS: Easier and cheaper compliance with SAQs
PCI DSS Version 3.0 - PCI Security Standards Council - pdf
How AccessEnforcer Fits with PCI DSS