PCI Compliance What Is It? Why Does It Exist?

If you have ever reviewed your monthly Merchant Account statement and discovered that you have been paying a PCI Compliance penalty fee for months – you know how upsetting that can be. If you remain out of compliance for 6 months, that can cost you about $180 in penalty fees.

About PCI Compliance

In 2006, an independent body was created by Amex, Visa, MasterCard, Discover and JCB to effectively try and reduce credit card fraud caused by the poor handling of credit card information by merchants and their employees. On a grand scale, let’s think back to when Target had a data breach of nearly 40 million credit card numbers from their internal computer servers. This happened as a result of weak security walls within their computer servers, and this should paint a pretty big picture of why the need for PCI compliance exists. Many large companies such as Home Depot, Chipotle and even Facebook, with all of their technology have all been vulnerable to data breaches.

In a majority of merchant related fraud cases, merchants were found to be largely responsible for leaks of credit card data by improper handling of credit cards by employees or inefficient security walls and protection within their servers. Merchants are provided credit card numbers, expiration dates and the magic three or four-digit security codes needed to authenticate. If written down on paper by an employee, they become a license to steal by anyone who happens upon the written information. PCI regulations mandate that you are never allowed to write down a complete card number with the related data. It is rules like this that make PCI Compliance so important to the credit card processing industry as well as the banks who issue credit cards. It is meant to protect the cardholder who is trusting you and expecting you to safeguard their data.


In its full acronym, it is called PCI DSS. Spelled out, it is the Payment Card Industry Data Security Standards. It is this organization that assesses a monthly penalty for failing to maintain a PCI Compliance Certificate on file with your credit card processor. That fee does not go to Aurora Payments. It is assessed by the acquiring banks who assess the penalty to your processor, such as Aurora Payments, who then passes it on to you, the merchant.

Maintaining PCI Compliance

The easiest way to maintain compliance is to complete a simple Self-Assessment Questionnaire, also known as an (SAQ). The SAQ is to be completed by the merchant on an annual basis and submitted to your processor to insure that not only are you handling credit card numbers with sensitivity but also making sure your computers cannot be hacked by an outside source if you store credit card information on your servers as Target does. It’s simply an annual review that reinforces and reexamines the way you and your employees handle credit card information as well as testing the firewalls of your computer server.

As a merchant, you are responsible for safeguarding your client’s credit card information from the time you receive it. Once a credit card number has been entered into your computer system it should be stored in an encrypted format, so employees are only able to see the last four or five digits of the card number and never have access to the entire card number again. Using this same principle, remember, a credit card number should never be written down on a paper for later use.

Developing policies that prohibit the transmission of credit card information by email or text messaging with your employees can further prevent data breaches and exposures from occurring.

Once you complete the SAQ, you will be issued a PCI Compliance Certificate upon successful analysis of your SAQ. This proves that you accept credit cards with proper concern for security and storage handling.

Credit card fraud affects nearly 32 million people each year and your efforts as a merchant can help reduce the chance of compromising your customer’s credit card and personal information.

Here at Aurora Payments, we begin sending reminder notices that your PCI Compliance Certificate is about expire in 90 days. We will remind you again at 60 and 30 days out to complete the annual SAQ. If you fail to take action, you will be assessed a penalty of about $30 a month and the penalty fee will continue to be assessed until you provide us with a new Compliance Certificate. Remember that we collect this money on behalf of the banks and we at Aurora Payments are not the one who assesses the penalty fee.

If you need help with PCI Compliance, contact your Account Executive or if you are not a Aurora Payments client, give us a call at 833-287-6722.

PCI Compliance assistance is just another benefit of doing business with Aurora Payments. We also offer Data Breach Protection Plans at a very affordable price.