At its heart PCI requirements are a set of standards designed to make sure all companies in the payment chain are handling cardholder data in a secure environment. Having a structured Requirement like PCI can feel like a burden to many small Businesses however it pails in comparison to the burden of operating in a world without it. PCI was once explained to me as something that can’t make a business completely secure, however, it will assist businesses to take small incremental steps in securing their businesses. Sure a business might get through the Self Assessment Questionaire the first year and still not have implemented most of the best practices, however, if they implement a few each year they are going to be big strides over time.

At the time I thought that was a fair point, however, the person telling me worked for the company getting paid to handle compliance. That said over the years we have seen our customer base become much savvier about securing their customer’s data. Sure there are still questions in the Self Assessment Questionnaire(SAQ) that seem to stump everyone, but the fact they get stumped means they are thinking about the questions. People who blindly guess at answers don’t tend to get stumped.

Over the years PCI has prevented fraud, which is something you can’t really quantify. I know for many PCI seems like a pain, but have a breach as a small business and see how your customers respond to it… See how burdensome your payment processing becomes with fines and additional requirements. Most businesses don’t realize that PCI has likely already prevented an issue in their business. Maybe you can find a merchant who claims to have never done PCI and they don’t know a thing about it, but I bet you can still find ways that PCI has helped that merchant. From changes made in computer network hardware, the merchant’s own payment device(s), how the other businesses in the area operate, and of course, changes made at the processor level.

To this day I am still not thrilled about the PCI process. The SAQs are generally to long, some questions incomprehensible, and the vulnerability scan is way outside the scope of many merchants. I wish all of those things would change for the better, however, looking back on PCI since it originally came out in late 2004 I have to say even as complicated as it is, it seems to have done a lot of good.

If you are one of the businesses that gave up on trying to complete your PCI, I recommend you give it another go. PCI support as improved industry-wide and the benefits over time greatly outway the hour or two of annoyance. I agree it’s definitely not as good as it could be for small businesses, but it still beats the alternative.