Do I have to be PCI compliant as a merchant?

If you are asking yourself: “Do I have to be PCI compliant as a merchant?”, I’d love to ask you something in return first:

Do you accept credit or debit cards from your customers? That is, any kind of cards from Visa, Mastercard & Co?

If yes, you must (should) be certified according to PCI DSS.

If, on the other hand, you do not offer your customers any payment options with credit or debit cards, then you are not obliged to be PCI certified or PCI compliant.

Regardless of this, I would still recommend that you look into PCI DSS and its security features. The reasons for that you can find in this article.

First of all: What is PCI DSS?

PCI DSS, the Payment Card Industry Data Security Standard, regulates and provides guidelines for the handling and processing of credit card transactions. The set of rules was created by the major credit card organisations.

The PCI DSS consists of a group of twelve requirements that must be met in full or in part, depending on the merchant’s classification and qualification.

What is cardholder data?

Cardholder Data (CHD) is considered to be the following details:

  • primary account number (PAN), card number
  • name of the cardholder
  • expiry date of the card
  • service code.

As a merchant and business owner, you need details of cardholder data from your customers in order to accept a payment. Be it in your online shop, at a mobile POS terminal or a fixed installation, you need to take cardholder details from your customers in some way. After all, that’s the only way customers can pay you by card.

We do not store cardholder data – is that still PCI-relevant?

In short: Yes!

Even if you don’t store cardholder data in your own systems, you still need to meet PCI requirements and be PCI compliant.

Here is an example: In your online shop, customers can pay by card. For this purpose, you have integrated a special form of your payment service provider (PSP), i.e. the cardholder data is recorded directly on the server of the payment service provider. You do not store any data, but are only informed of the “ok / not ok” for further processing of the purchase/order.

Nevertheless, you must comply with PCI DSS, because it is your website that establishes the connection to the PSP. And data can be accessed and breached via your website during this process.

What happens if I am not PCI compliant?

If you accept or are involved in credit card transactions, then you must comply with PCI DSS.

Failure to comply with PCI DSS will result in penalties if a breach occurs. These range from quite substantial monetary penalties to exclusion from the (credit card) network.

We do not accept credit cards, why is PCI DSS still a good idea?

If you do not carry out card transactions with Visa, Mastercard, etc., you do not have to comply with PCI DSS.

Why is implementing PCI DSS, even in parts, still a good idea?

There are several reasons:

  • As soon as you store customer data of any kind, even if it is only a name, email address or telephone number, you should handle it with a lot of care. By “a lot of care” I mean: under no circumstances should a third party be able to access it. And that is exactly what PCI DSS was designed for.
  • It is not just customer data that needs to be protected. You certainly don’t want to give away your internal data either. By dealing with PCI DSS, you sensitise yourself and your company to possible weak points in your IT environment.
  • And even if you don’t accept credit card payments now, maybe that will be an option in the not too distant future? The percentage of card payments is increasing steadily. If you already deal with PCI DSS and maybe even implement parts of it, you will be prepared and can act faster.

Do you have questions about PCI DSS, your classification as a merchant or the questionnaires (SAQ)?

As a PCI-certified QIR (Qualified Integrator and Reseller), I perform so-called “qualified installations”. As soon as you accept credit card payments, you should have spoken to a QIR at least once. I have described in this article why the sometimes very short cooperation with a QIR makes sense for you.

As a QIR, I cannot and should not confirm or certify you as PCI compliant. However, I am happy to support you with your questions about PCI DSS, necessary installations or updates, discussions with payment service providers, banks or programmers.

PCI compliant or not?

As a merchant, do you have to be PCI compliant? Here is the summary:

  • Do you accept card payments from Visa, Mastercard, etc.?  YES, you must be PCI compliant!
  • You do not accept credit card payments?  NO, no obligation for PCI compliance.

You accept card payments and have questions, doubts, need help regarding PCI DSS?

Click here for our contact details. I am looking forward to your message!

Leave a Reply