The Quick Guide To PCI Compliance For Small Businesses: What You Need To Know & How To Become Compliant
If you’re a first-time small business owner, you might not be too familiar with the concept of PCI compliance. You might not even have ever heard of it before. It’s also entirely possible that your first introduction to the subject will come in the form of a “PCI compliance fee.” This is a fee that gets tacked onto your monthly merchant account processing statement.
So just what is PCI compliance, and why is it important? The term PCI compliance refers to a set of practices you’ll have to follow to comply with the Payment Card Industry Data Security Standard (PCI DSS). The Payment Card Industry Security Standards Council (PCI SSC), an association sponsored by the major credit card brands, developed and now enforces PCI compliance standards. PCI standards have one goal in mind: to protect consumers’ credit card data from being stolen or misused by hackers or other cybercriminals. Maintaining PCI compliance is your best defense against experiencing a data breach. It also reassures your customers that it’s safe for them to use their credit cards when doing business with you.
Unfortunately, the biggest threat to small businesses is complacency. Most small business owners believe that they don’t have anything worth stealing, and therefore they won’t be a target. However, nothing could be further from the truth. A small business that fails to take the steps necessary to protect its customers’ credit card data is an easy target for any cybercriminal looking to steal and exploit that information.
What happens if you’re not PCI compliant? In most cases, your merchant account provider will charge you a PCI non-compliance fee (typically around $30.00 per month) until you bring your account back into compliance. However, if you experience a data breach as a result of noncompliance, the PCI SSC is authorized to impose a fine of anywhere from $5,000 to $500,000. Although this fine gets levied against your acquiring bank, you can bet that they will pass it on to you as soon as they receive it. If you have data breach insurance, your policy might cover the cost of the fine or at least part of it. As we’ll see below, your PCI compliance requirements will also increase dramatically, costing you even more time and money.
For small business owners, complying with all applicable PCI DSS standards is easy to do — and it won’t cost you very much. It’s certainly much cheaper to avoid the huge fines and additional reporting requirements that can threaten to put you out of business. In this article, we’ll discuss the various levels of PCI compliance. We’ll focus on Level 4 requirements because this is the level that most small businesses will fall under. Finally, we’ll give you some common-sense best practices to safeguard your business from hackers and ensure that you’ll always meet PCI compliance requirements.
Table of Contents
- What Are PCI Compliance Requirements For Small Businesses?
- Choose The Right Payment Processor To Simplify PCI Compliance
- How To Become PCI Compliant For Brick & Mortar Businesses
- How To Become PCI Compliant For eCommerce Businesses
- How To Become PCI Compliant For Mobile & Blended Businesses
- Final Thoughts
What Are PCI Compliance Requirements For Small Businesses?
To standardize and (somewhat) simplify the process of PCI compliance, the PCI SSC has established a four-level system for classifying businesses and setting compliance requirements for each level. Levels are numbered from one to four, with Level 1 having the most stringent compliance requirements and applying to the largest businesses. Level 4, in contrast, has the simplest requirements and applies to the smallest businesses.
Your business will fall under level four compliance requirements if you process less than 20,000 ecommerce transactions per year, or less than 1,000,000 transactions from all sales channels (e.g., ecommerce and retail). The low threshold for ecommerce transactions reflects the fact that online businesses are inherently more vulnerable to exploitation and data breaches than a traditional brick-and-mortar retail business.
Level 1 businesses — defined as businesses that process over 6,000,000 transactions per year (regardless of sales channel) — will, naturally, have the most stringent and extensive PCI compliance requirements. Even if you don’t think your business will ever reach that size, there’s one thing we need to warn you about. Any business, regardless of annual processing volume, can be placed into Level 1 if they suffer a data breach. So if you lose your customers’ credit card information due to a breach, you may (and probably will) find yourself in Level 1, regardless of how small your business is. Level 1 requirements involve the assistance of outside auditors to affirm that your business is compliant and following all recommended best practices to safeguard your customers’ data. An audit can be a very burdensome and expensive proposition for a small business. It’s imperative that you avoid getting into this predicament in the first place by ensuring your business meets all PCI compliance requirements for your level.
For this article, we’re going to focus on Level 4 requirements, because most small businesses fall under this level. If your business is in Level 3 or higher, or you’d just like to see a more in-depth discussion about PCI compliance levels, please refer to our article, Determining Your Merchant Risk Level For PCI Compliance.
Choose The Right Payment Processor To Simplify PCI Compliance
There are hundreds of payment processors of one kind or another on the market, and it seems like they all approach PCI compliance differently. While every provider will offer some type of PCI compliance service, specific features vary widely from one provider to the next. For example, many providers offer some kind of data breach insurance as a standard feature of your account. Others will either charge separately for it or leave you to purchase insurance from a third party on your own.
PCI compliance fees are another matter. Most providers on the market will charge this type of fee, but they might present it as either an annual, quarterly, or monthly fee. Other providers don’t charge directly for PCI compliance. This does not mean that you’re getting something for free! In most cases, you’ll pay either slightly higher processing rates or a higher monthly account fee to cover the costs your provider incurs in helping to keep your account compliant. For a more in-depth discussion regarding PCI compliance fees, please see our article, PCI Compliance Fees: A Fair Processing Charge Or A Junk Fee?.
In selecting a payment processor, you’ll want to nail down the details of how they handle PCI compliance before you sign up for an account. Do not rely on sales agents to give you truthful answers! Check your contract documents thoroughly, and look for any PCI compliance disclosures on your provider’s website. At a minimum, your provider should offer the following:
- PCI compliant processing hardware and software (including terminals, point of sale (POS) systems, mobile processing systems, payment gateways, and possibly a virtual terminal)
- Quarterly network vulnerability scans (see below) and access to the logs of those scans
- Appropriate assistance with completing and filing a Self-Assessment Questionnaire (SAQ)
Other nice-to-haves include a data breach insurance policy (with a minimum of $100,000 coverage) and tokenization or encryption security features. Note that the latter is increasingly becoming a standard feature offered by almost all reputable providers. Regardless of the level of services provided, the bottom line is that you are ultimately responsible for ensuring that your business is fully PCI compliant, not your payment processor.
How To Become PCI Compliant For Brick & Mortar Businesses
If you’re a traditional retail merchant and don’t process any sales through your website, you might wonder what cybersecurity and PCI compliance have to do with you. The short answer: more than you think. Maybe you’re using a point of sale (POS) system to process sales and track inventory. Perhaps you have a virtual terminal installed on an old laptop and use it to input credit card data manually. Maybe you just have a simple countertop credit card terminal, but it’s connected to your processor’s payment network through a LAN cable. In all of these cases, you’re still using the internet to send and receive credit card information. So you do need to take PCI compliance just as seriously as an ecommerce-only business.
The good news is that it’s generally much easier for a brick -and-mortar-only business to meet PCI compliance standards. If you’re in Level 4, all you need to do is to complete a network vulnerability scan of your system, keep your Self-Assessment Questionnaire (SAQ) updated, and follow the best practices recommended by the PCI SSC to keep your account compliant and protected.
Network Vulnerability Scans
A network vulnerability scan checks your website and payment processing system for vulnerabilities, such as malware and viruses. The scan will also inspect every IP address that is reachable by the public from your site. Scans must be accomplished by an Approved Scanning Vendor (ASV) that’s been certified by the PCI SSC.
If you’re a Level 4 merchant, this scan is technically a one-time requirement. However, you’ll probably want to re-accomplish it anytime you have a significant change to your network configuration. If you’re in Level 3 or higher, vulnerability scans must be accomplished and documented quarterly.
Your merchant account provider will usually perform these scans for you as part of their PCI compliance services. However, it’s your responsibility to ensure that they’re being accomplished. You can also use the services of a third-party ASV (such as Trust Guard) to complete your scans. Hiring a third party will cost you extra, but it’s a good practice if your merchant account provider isn’t scanning your system for you.
Self-Assessment Questionnaire (SAQ)
The PCI SSC publishes a Self-Assessment Questionnaire (SAQ), which you will have to complete and file on an annual basis. This document allows you to determine your PCI compliance needs and offers information on the various best practices you should be following to protect your customers’ card data. Check out the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines for more information.
Failure to keep the SAQ updated every year is the most common reason that businesses end up being assessed a PCI non-compliance fee by their processor. Completing the SAQ and keeping it updated is easy and straightforward, so there’s no excuse for not complying with this requirement.
Best Practices For PCI Compliance
Below, we’ll outline eight of the most important practices your business should follow to maintain PCI DSS standards and protect your customers’ data. These practices are not the same as the 12 compliance requirements outlined in the PCI DSS Quick Reference Guide (QRG), but there is some overlap. Be sure to consult the QRG for further information when setting up a PCI compliance program for your business.
- Use only PCI-approved PIN Transaction Security (PTS) devices. PTS devices now include traditional countertop credit card terminals, PIN pads, mobile processing devices, and point of sale (POS) systems. A full list of approved PTS devices is on the Approved PTS Devices page of the PCI SSC’s website.
- Use only PCI-validated POS (point of sale) and payment gateway software. Just like your processing hardware, your software services have to be validated by the PCI SSC as being compliant. A searchable list of approved products is available on the Validated Payment Applications page of the PCI SSC website.
- Don’t store any sensitive cardholder data. Simply put, there’s no good reason whatsoever for you to have access to any of your customers’ card data. Modern payment processing systems use tokenization and encryption to protect this data when a sale is processed. There’s never a good reason for you to store this information digitally — either on your hard drive or your website’s server. This goes double for physically storing credit card information. Never write down a customer’s credit card number, expiration date, or CVV unless it’s absolutely necessary. If you do, be sure to follow additional PCI compliance requirements that apply to this type of information. Note that almost all modern payment gateways include a customer information vault feature that safely stores this information off of your website.
- Use a firewall on your network and computers. Just as you always use a firewall to protect your personal computer, you also need to use one to protect every device attached to your business network. Your merchant account provider can usually assist you with configuring this feature.
- Never use default passwords. It’s critically important that you replace the default passwords on your networked devices with the strongest ones possible. Applications such as 1Password and LastPass can help you generate extremely strong passwords. This may seem like an obvious step, but some huge data breaches have occurred in recent years because someone neglected to perform this simple step.
- Make sure your wireless router is password-protected and uses encryption. You’ll also want to set a strong password for your wireless router and make sure that all available security and encryption features are enabled and properly configured.
- Regularly check terminals, PIN pads, and computers to ensure that no one has installed rogue software or “skimming” devices. If there’s any chance of your business being hacked by one of these methods, you’ll want to know about it as soon as possible. Network vulnerability scans are great for catching this kind of activity. Be sure to scan your system at least quarterly, regardless of your PCI compliance level.
- Educate your employees about security and protecting cardholder data. Learning all the best practices for PCI compliance won’t do you much good if you don’t pass that knowledge onto your employees. Have a program in place that teaches employees what they should and shouldn’t be doing when accepting payments from customers.
How To Become PCI Compliant For eCommerce Businesses
If you skipped the last section because you run an online-only business, go back and read through it. Most of the PCI compliance requirements that apply to retail businesses will also apply to ecommerce ventures. You won’t have to worry about securing credit card terminals, and most of the physical security practices won’t apply to you. However, you’ll still have to keep your SAQ updated and run regular network vulnerability scans. Those network scans will be even more critical for you than they will be for a brick-and-mortar business.
If you’re just starting an ecommerce business, we highly recommend that you focus on PCI compliance requirements when deciding how you’ll structure your website and how you’ll accept payments. At first glance, it might seem like the easiest solution is to accept payments directly from your site. Unfortunately, this means that you’ll be handling (and possibly storing) credit card information from your customers directly on your website’s server or your computer. This is a bad idea. PCI compliance requirements for protecting this data are much more extensive than if you use a secured payment gateway or a hosted payment page.
Most merchant account providers that support ecommerce businesses offer a hosted payment page. This means customers will briefly leave your site and go to a secure checkout page hosted by your payment processor to complete their purchase. The advantage of this approach is that it keeps credit card data off your site altogether, greatly simplifying your PCI compliance requirements. It’s also cheaper. The main disadvantage is that you might lose sales from customers who don’t understand how a hosted payment page works and might abandon their cart when they’re redirected away from your website to enter their credit card information.
Online shopping carts and secure payment gateways that include tokenization and encryption features allow you to accept payments directly from your website without having to worry about storing any credit card data. Card information is encrypted at every stage of the checkout process. So you won’t have access to any of it (except possibly the last four digits of a customer’s card). While these solutions are much more secure and convenient, they’re also more expensive. Nonetheless, the cost is cheap in comparison to what a data breach could cost you.
If your business is growing, you don’t want your customers to have to re-enter their credit card information from scratch every time they place an order. At the same time, you want to avoid storing that information yourself as much as possible. Fortunately, almost all modern payment gateways include a feature called a customer information vault (or a variation on this term). These vaults store this information securely on your provider’s server, so you don’t have to worry about it. Customers are much more likely to place repeat orders if they can pull up a “card on file” rather than typing in all that information every time they need to place an order. Customer information vaults are usually included as a standard feature with most gateways. The only issue we’ve seen with them is that some providers make it unnecessarily difficult and expensive to migrate that data to another server if you choose to change payment gateway providers. Be sure to ask about your gateway provider’s data migration policies before you sign up.
You probably already know about this one, but we’d like to also mention the importance of Secure Socket Layer (SSL) certificates for online businesses. These certificates encrypt all traffic that passes through your website, providing your best and simplest defense against hackers trying to exploit your site. They also give you the “https:” in your website’s URL, letting your customers know that it’s safe to enter their credit card information. Use of SSL certificates is now a standard practice all across the internet, but it’s particularly important for any business that sells things on its website. Google will now penalize you for not using one by placing a prominent “NOT SECURE” disclaimer in Chrome’s search bar. You don’t want this to happen to you! Check with your web hosting provider to see what options they offer for SSL certificates.
How To Become PCI Compliant For Mobile & Blended Businesses
If your business involves both in-person and online sales, all of the above information will apply to you. You’ll want to work closely with your merchant account provider to ensure that you have a firm division of labor when it comes to PCI compliance tasks. Your provider’s primary role is to run the network vulnerability scans and (hopefully) remind you when it’s time to update your SAQ. They should also ensure that they’ve provided you with PCI-compliant processing hardware and software. If they charge you separately for PCI compliance, you’ll want a full understanding of exactly what services they’re providing in exchange for that fee. Besides network vulnerability scans and helping you file your SAQ, they should also offer a data breach insurance policy and some educational resources to help you in securing your account. Unfortunately, it’s not that uncommon for some providers to charge you a full PCI compliance fee but then offer few, if any, services to help you meet your compliance requirements.
If you’re a small business owner looking for the simplest way to deal with PCI compliance requirements, we highly recommend Square (see our review). All of Square’s card readers and software services come fully PCI-compliant right out of the box, and there’s no PCI compliance fee. You’ll still want to review your PCI compliance requirements, but other than setting strong passwords for your accounts, there won’t be much for you to have to do.
Final Thoughts
The subject of PCI compliance can be a daunting one for a new business owner, but it doesn’t have to be that way. Most PCI compliance requirements come down to following basic common sense. While we certainly encourage you to review the relevant documents on the PCI SSC website, much of the information presented is overkill for a small business owner. Information in this article and educational resources provided by your payment processor should, in most cases, be all you need.
One point we’d like to emphasize is that the goal of PCI compliance is to protect your customers’ credit card information, and that’s all it does. Following good PCI compliance practices will not, for example, protect your business from fraud. That’s another subject altogether. The good news is that, with fraud on the rise (particularly card-not-present fraud), payment processors are continuously stepping up their game to provide you with additional anti-fraud measures to lessen your risk of becoming a victim.
Finally, we can’t stress enough how important it is to ensure full compliance with PCI requirements, regardless of your business type. Suffering an actual data breach will cost you a lot of money, possibly enough to bankrupt you. For even more information about this subject, check out our article, Everything You Need To Know About PCI DSS Compliance. If you’re still looking for a merchant account provider (or are thinking of ditching your current provider), see our Merchant Account Comparison Chart for a side-by-side comparison of our top-rated vendors.