NEW YORK - A recent Forbes article addresses PCI DSS, specifically as it relates to compliance by small companies. While larger merchants (as defined by their PCI DSS merchant level) are subject to independent audits of their processes and systems, the smaller merchants instead can rely on a self-assessment questionnaire, "where they essentially grade themselves," according to Forbes.

As such, speculated Forbes, "That's where the lying comes in. It's not so hard to check off all the right answers without actually making them true." But such an approach carries significant risk.

"If you're lying, you had better also be praying," Forbes said, where you're likely to face fines of tens or hundreds of thousands of dollars, which increase exponentially if you're subject to a breach. Despite the financial risk, though, Forbes said that many small businesses are still under the impression that PCI compliance doesn't apply to them because they're either too small or because they don't conduct e-commerce, assumptions that are both erroneous.

"Actually, the rules apply to any business ?" and even any nonprofit ?" that takes credit card payments. You can look for ways to lighten the compliance burden, but you can't get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you're still supposed to be locking down your systems."

NACS has been instrumental in helping retailers attain PCI compliance.