“We are a lean company with no dedicated IT person on staff so we were taking on the PCI process without that internal support. There are two parts to the PCI compliance process. Part 1 comprised a PCI scan of our systems. That was not a difficult process, and Rocky Rococo’s easily passed all of the scans.
We thought ‘hey, we’re doing pretty well!’ Then we turned our attention to the second part of the process. This is where it got complicated and the ‘We’re doing pretty well’ fell by the wayside. There were about 25 self-assessment questions (SAQ) that required a ‘yes’ answer to pass. We’re pizza connoisseurs, not payments or IT experts so we could only decipher about half of the questions. The other half was not understandable at all. Yet, failing to complete Part 2 meant that we were not complying with PCI requirements.
Putting the entire process on the back burner and remaining non-compliant had some serious implications.
- We would continue to pay heft non-compliance fees every month.
- Our customer data was at greater risk of a security breach.
- A data breach would result in costly fines and be extremely damaging
to your reputation.