Payment Card Industry (PCI) Compliance is high on the agendas of Audit Committees and Executive Leadership due to increasing pressure from credit card brands and regulatory agencies. Lack of compliance may prevent businesses from being allowed to accept credit cards as a form of payment. Businesses that have a data breach where credit card data is actually stolen will be subject to much larger fines and fees from the banks, card brands, etc., and are required to report the breach, which quickly makes the news and causes further reputational damage.
The PCI Data Security Standard (PCI DSS) is used to assess organizations that handle credit cards from the major card brands including Visa, MasterCard, American Express, Discover, JCB and China Union Pay. PCI DSS applies to all entities that store, process, and/or transmit cardholder data. If your business accepts or processes credit cards, PCI DSS applies to you. However, the PCI DSS is so complex that most businesses do not know where to begin.
At UHY, we manage PCI-related initiatives as consultants rather than auditors, which allows us to provide guidance and recommendations throughout the effort. We offer a full suite of PCI Compliance consulting services to help businesses of all sizes address their compliance obligations. We tailor each PCI-related initiative to the individual needs of our clients. The cornerstone of our methodology is to translate IT risks into business risks and provide meaningful insight to your business. Alongside the compliance deliverables, our PCI service offerings are regularly used to assess and improve the security posture of our clients.
The era of procrastination is over. In its place we are entering a period of consequences.
Hackers are no longer targeting the Targets and Home Depots of the world. Increasingly, they’re targeting small and medium-sized businesses that have not gone through the risk and compliance efforts needed to protect themselves. As incidents of credit card hacks and data breaches mount, these businesses face increased compliance obligations and liabilities.
As consumers and businesses have begun receiving new credit and debit cards with shiny embedded microchips (known as EMV technology), many are unaware of the liability shift that occurred in 2015. As of October 2015, merchants that are not certified to accept EMV card transactions may be responsible for certain fraudulent charges, a change from standards that previously existed where the liability rested solely with the card issuer. Estimates indicate 94 percent of magnetic-only credit cards will be replaced by the end of 2016. As a result, businesses that accept credit cards face a dramatically different landscape compared to just a few short months ago.