By law? No. By your credit card processor? Yes.
In a nutshell, PCI DSS is a baseline information security program. The PCI DSS outlines security best practices like utilizing a security firewall and using password best practices. Merchants are required by their credit card processors to adhere to PCI requirements and are asked to attest their compliant status annually. The merchant’s processor may ask them to fill out an SAQ (self assessment questionnaire) or conduct a QSA-led (qualified security assessment) PCI assessment as part of the client’s annual compliance validation process.
Are There Penalties?
Yes. The penalty for refusal to adhere to the PCI DSS and the processor’s compliance validation requirements could result in significant potential suspension from credit processing networks and significant fines. These fines include chargebacks to the merchant, and potentially additional third party auditing costs.
It is more important now than ever to make PCI DSS a constant priority in all business considerations. The continuity the program provides will help ensure protection of cardholder data from malicious individuals. Because the world of digital transactions is ever-evolving, continuing to stay current with PCI practices is the best way to stay informed of the latest security practices.