Skip to main content

Weighing The Cost of PCI Certification

Payment ProcessingPCI

If you’re putting off your payment system security checkup, it’s costing you more than money.

All businesses that process, store, or transmit payment card data are required to implement security standards to prevent cardholder data theft. But getting PCI certified is not as hard as you think.

Weighing the Cost

Time:

While all merchants who accept credit cards for payment are required by the card brands to verify compliance, the time and scope of a PCI-DSS certification itself can vary greatly.

A key step of PCI compliance is making sure you’re using a PCI-DSS certified payment gateway like Ascent’s preferred payment gateway, Slim CD.  Visa, MasterCard, Amex, and Discover consider this to be such an important requirement that merchants using a non-compliant gateway to process online guest payments automatically fail their certification test. Ascent clients enjoy checking this necessity off their lists with ease and confidence.

The scope of the remaining process is dependent on your business model and overall payment volume. Whether you’ll need 15 minutes or 45 minutes to complete your PCI certification depends on whether you accept payments over the phone or in person, or if 100% of your payments are entered by the guest directly into a compliant gateway portal during the booking process.  Most Ascent clients are able to complete their certification in 30-45 minutes.

Money:

The most immediate monetary loss resulting from not verifying your business’ PCI-DSS compliance comes from non-compliant fines assessed by processing banks. These fines can be assessed monthly or annually and can reach nearly $1,000 for every year the certification is missing from the bank’s records. 

The fines are steep because the processing banks really want you to protect your guest’s card data by completing the certification. They have all seen messy and expensive data breaches with huge fines issued from the card brands (Visa, MasterCard, Discover, Amex). While we’ve all heard about the breaches to public companies in the lodging space on the news (https://www.upscalelivingmag.com/5-recent-luxury-hotel-data-breaches-you-should-know-about/), there are countless additional guest data breaches every year in hospitality that we don’t hear about.  With fines assessed in the MILLIONS of dollars, you don’t want to be one of them. 

Ascent’s PCI compliance solutions include personal support and guidance for dealing with a breach, as well as significant financial assistance with fines that may be assessed by the card brands. Additionally, all non-compliant monthly fees are waived in full after you certify your secure systems and procedures.

Reputational Risk:   

Data breaches result in your guest’s stolen credit card numbers for sale on the dark web. Guests are trusting you to keep their payment data safe and a breach severely undermines that trust. In fact, having their data stolen from a merchant’s site is the #1 reason for cardholders to abandon trust of that merchant.  https://www.pymnts.com/news/ecommerce/2022/the-no-1-reason-consumers-lose-trust-in-online-merchants-stolen-personal-data

Bad news travels fast and having your company’s name in the local or national news cycle for failing to protect guest’s payment information results in lost bookings for your business. 

Ascent’s trusted technical partners make it so easy, it’s just not worth the risk.

Fighting Disinformation

Myth #1: 

My software is PCI compliant, so I don’t have to be. 

Don’t fall victim to one of the most common assumptions.  While using a compliant software and outsourcing your payment processing to them greatly reduces your certification path, it does not eliminate it entirely.

The truth is that Visa, MasterCard, Amex, and Discover require ALL merchants accepting their cards for payment to be compliant AND they require each software/vendor touching that card data to be compliant. Don’t let a vendor’s marketing tactic leave you exposed.

Myth #2:

The PCI Questionnaire is complicated, time consuming, and requires me to hire an IT professional.

The truth is that Ascent provides expert PCI support to all clients at no charge. As a standard part of your suite of payment services, our team works with you one-on-one to help translate the sometimes-complex questions into plain English. With our guidance, over 90% of Ascent clients qualify for one of the two quickest and easiest levels of certification. 

What types of questions can you expect to answer during the certification process? Questions like:

  • How your company restricts physical access to card data
  • How you secure your network and information stored on it
  • Confirmation of a secure payment gateway use
  • Follow up questions include reasons why a particular requirement may not be applicable and acknowledgement of status

You know your business better than anyone, and the entire series of questions should take you 30-45 minutes to complete. And if you have any doubts, Ascent has friendly, dedicated support to hold your hand through it all!

Myth #3:

All merchants must complete a complicated technical scan of their system.

The truth is, nearly 100% of Ascent clients use an ecommerce solution that qualifies them for both the shortened questionnaire version AND a waiver of the system scan. It literally doesn’t get any easier.

Myth #4:

I completed my PCI-DSS certification last year, so I’m all set!

Think of this as a journey and not a destination. The self-certification process relies on you to continue managing your payment operations in alignment with the way you answered your Questionnaire. If you change your card-handling procedures or change your software, the Questionnaire you answered a year ago may no longer be accurate. If nothing has changed, the recertification will be quick and easy.

At Ascent, recertification occurs annually in the form of an auto-renewal pre-filled with your previous year’s answers. While your annual renewal can typically be completed in under 5 minutes, it’s important to confirm/attest that your card environment hasn’t changed as you move forward.  

Some merchants have simple, easy-to-correct vulnerabilities that could lead to a costly data breach. PCI-DSS certification significantly reduces the likelihood of that - while also saving you time, money, and risk to your good reputation. By partnering with Ascent, you’ve already made your certification process easier.

Call us today and let’s get this checked off your list!

Categories


Sign up for news and updates