If your company is not fully compliant with Payment Card Industry (PCI) Security Standards, you could be at risk of a serious tangle with attorneys. Technically, PCI guidelines are not a hard-and-fast set of laws. However, merchants can still face hefty liabilities for not meeting them.
Avoid these mistakes to keep your company out of hot water with attorneys:
- Storing Cardholder Data In Noncompliant Programs: Many states have laws regarding data breaches and, depending on where you accept cards, you may be subject to many of them. For example, Massachusetts has 201 CMR 17.00, which requires companies keeping any personal data from Massachusetts residents to prepare a PCI-compliant plan to protect that data. If a company then fails to maintain that plan, the business may face state prosecution.
- Fibbing On The Self-Assessment Questionnaire: If you have considered tampering with the reports from your company’s Approved Scanning Vendor, think again. Time invested now to fix any holes in your data security system could save you big-time from the penalties your company could suffer if there’s ever a data breach. The same thing applies to simply “fudging the truth” on self-prepared compliance reports. Even if you think it’s a harmless stretch of the truth, don’t do it.
- Not Using The Right Qualified Security Assessor: Many companies use Qualified Security Assessors to help them maintain their PCI compliance. Every QSA does not necessarily know as much as another, however. It’s important to select someone who both understands your business and stays up-to-date on the latest version of PCI Security Standards.
- Trying To Resolve Data Compromises Under The Radar: You may be tempted to fix a customer’s complaint yourself if they inform you of a data compromise. Not informing credit card companies of data breaches, however small, can lead to you no longer having access to their services. Those credit card companies can then file suit against your company, costing you big bucks in the end.
- Not Checking ID For Point-Of-Sale Credit Card Use: Sometimes it seems like no one checks IDs against the credit cards being used, so merchants tend to be lax about doing so. Unfortunately, running just one unauthorized credit card could cost you a lot in the long run.
Even if the state in which you do business does not have specific laws regarding PCI compliance, a civil suit may come against your company for any data breaches. The court will not favor you if you have not been PCI-compliant.
All in all, it pays to pay attention to PCI compliance – a little time invested today could save you big-time tomorrow.