By 2028 only 9 per cent of transactions will be made by cash, according to research by UK Finance. This confirms what most business owners already know: that payment by card is the preferred method for the vast majority of their customers. With this seismic change in the way we do business, however, comes a high degree of responsibility. That is because these customers are sharing their valuable personal card data information with you and it is your duty to safeguard that data.
Although compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not actually a legal requirement under UK law, it is prudent to think of it as such. In the event of a breach, where non-compliance with PCI DSS is found, there can be catastrophic consequences. These could include fines and penalties and, ultimately, your acquiring bank has the right to withdraw your right to process card payments altogether. There is also the issue of reputational damage which can undermine customer trust with serious financial consequences.
Everyone who handles card payments therefore needs to maintain PCI compliance to protect both their customer’s data and their own business. Even those that outsource card processing are still ultimately responsible for the care of that data while it is collected and transmitted. It is also the business’s responsibility to establish how they intend to comply with the PCI DSS; no official body is going to do it for you.
Your bank should be able to advise to some extent on what is needed to achieve compliance following an assessment, but it can be a complex business establishing the exact requirements. Advice and guidance on your specific PCI compliance can, however, be obtained from a Qualified Security Assessor (QSA). These highly experienced individuals, certified by the PCI Security Standards Council, have the experience to manage compliance, actually reducing the cost to your business. They also help organisations at all levels to understand how to establish and maintain ongoing compliance.
This is important because the compliance process is itself ongoing. Although you may pass the PCI compliance audit one day, if any ill-judged change is made to a system, you may not be compliant any longer. The day of judgement for PCI compliance is not the date of the audit, but, in the event of a breach, the date on which it is discovered.