The table below summarizes the 12 requirements for compliance, organized into six related sub-groups called “control objectives.”
Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant. This includes credit card payments taken over the phone.
Yes. Merely using a third-party company does not exclude a company from PCI Compliance. But using a third party processor may cut down on a company’s risk exposure and consequently reduce the effort required to validate compliance.
Yes. PCI security standards apply to credit cards, debit cards, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI Compliance violations. The banks will most likely pass this fine on to the acquirer. And the acquirer will pass those fines on to the merchant. Furthermore, the bank may also either terminate the business relationship completely or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.PCI Security Standards, Part 1