What Is PCI Compliance And How Does It Affect Your Business?
If you are a small business owner, your passion probably lies somewhere other than payment security — and that’s okay. While the topics of PCI compliance, data breaches, fines, and the like can make even the most even-tempered among us a little twitchy and tense, this subject doesn’t have to be stressful. If you find yourself in new territory and wondering, What is PCI compliance? — you’re in the right spot!
Arming yourself with a basic understanding of PCI can help you navigate a lot more than you think when it comes to choosing the payment processor, merchant account, or outside payment security specialists you may need.
Rest easy, merchants. This post aims to clarify the basics of PCI compliance and get you on the right path to secure your business — and your peace of mind.
Table of Contents
- What Does PCI Stand For?
- Why Does PCI Compliance Matter?
- How Do You Become PCI Compliant?
- Are You Ready To Become PCI Compliant?
What Does PCI Stand For?
PCI is an even more shortened version of the acronym PCI-DSS, which stands for Payment Card Industry-Data Security Standard. The regulatory standards established by the Payment Card Industry Security Standards Council, the governing body for all matters PCI, aim to protect sensitive data through the entire payment life cycle.
If you accept credit card payments (even just over the phone or once in a while), PCI compliance applies to you. Any organization or seller, regardless of size, that accepts, stores, processes, and transmits cardholder data during a credit card transaction is on the hook as far as preventing fraud and data breaches. The set of guidelines from the PCI Council can help you keep this data safe, so following these guidelines are a good thing for your business — really!
Before we go onto the “how” when it comes to becoming PCI compliant, let’s take a look at the “who,” “what,” and “why” of PCI. You’ll have a much better understanding of the landscape when you have this bit of knowledge under your belt.
Who Makes Up The PCI Security Standards Council?
The five major credit card brands got together to form the PCI Security Standards Council in 2006. The founding members of the council, which began over a decade ago, include:
- American Express
- Discover Financial Services
- JCB International
- Visa Inc
Representatives from the five major payment brands make up the Executive Committee, and as you can imagine, these folks are the ones who set up the policies that form the regulations we all must follow when we accept credit cards from their respective brands. Other large brands contribute to the council in a consulting role, too. Square (read our review), one of the largest third-party payment processors, also sits on the board to help form the policy as it pertains to new tech and updating best practices.
When it comes to policy setting in the world of payment security, it’s never a one-off event. Policies are always evolving. As new risks emerge, the PCI Council introduces updated payment security regulations to keep payment technology fresh and stay one step ahead of fraudsters.
Thus, just as the PCI security standards evolve to stay ahead of security risks, merchants must also keep up to date with the latest best practices.
Now let’s keep moving forward to uncover what PCI compliance means for you!
What Does PCI Compliance Entail?
In a nutshell, PCI compliance focuses on making sure that the payment data stays secure for the whole payment lifecycle. Whenever you take a credit card, store it, process or transmit the card data for payment, there is a PCI guideline to do it securely. Keep in mind that the more places payment information gets passed or recorded, the greater a merchant’s PCI scope is. That’s why the decisions you make when you set up payment processing or launch your eCommerce site will have long-lasting consequences on your PCI compliance efforts.
PCI scope refers to the assets your business needs to secure in the entire landscape of payment security. It refers to any of your equipment, software, or hardware that processes, stores, or transmits credit card data. Some credit card processors take care of PCI compliance for you, which reduces your PCI scope and what you have to do to remain PCI compliant. As an example, Square is a third party processor that acts as the merchant on your behalf, and as such, you never store or transmit the card data through your own system. It’s all through Square’s PCI compliant hardware and software.
The payment methods you accept also may increase or decrease your scope. For instance, if you store credit card data on your servers for recurring billing, you have greater PCI scope than if your customer uses a digital wallet for an in-house purchase. That’s because in the first case you have to store card data safely (e.g., think firewalls and security), but when you accept a digital wallet payment from Samsung Pay or Apple Pay, your business doesn’t come into contact with any credit card data directly — it’s all tokenized. Some merchants choose a payment processor or outside firm that tokenizes all payment card data to reduce their PCI scope and fraud vulnerability.
If you are curious what your payment processor offers as far as PCI compliance and payment security measures like tokenization, inquire with them directly. If your company requires a customized solution or you need to store credit card data on your servers, however, you’ll need to understand more about PCI or hire an outside firm that does.
Merchant Risk Levels
If you don’t have an all-in-one solution that includes PCI compliance, you’re going to need to do some basic tasks to maintain compliance. However, what you do mainly depends on what merchant risk level you fall under, according to the PCI Council. Risk levels are set based on how many transactions and how much they are.
Most small businesses fall at level 4, which is the lowest-risk level of the four. Level 4 businesses process up to 1 million Visa transactions and fewer than 20,000 Visa eCommerce transactions in total. However if you’ve ever suffered a data breach, your company may be escalated to a higher merchant level to reflect the added risk.
General Purpose High-Risk, eCommerce, CBD Oil, Firearms & Ammunition, Adult, Credit Repair, Bad Credit, Vape/E-cigarettes, Airlines
Paymentcloud Durango Soar Payments Host Merchant Services Review Visit Site Review Visit Site Review Visit Site Specialities International, Offshore, Credit Repair, Bad Credit, Vape/E-cigarettes, Fantasy Sports, Forex Credit Repair, E-cig/vape, Moving/Storage, Web Design, Antiques & Collectibles, Debt Consolidation, Precious Metals Debt Collection, Life Coaching, Airlines, Loan Modification, SEO Services
General Purpose High-Risk, eCommerce, CBD Oil, Firearms & Ammunition, Adult, Credit Repair, Bad Credit, Vape/E-cigarettes, Airlines
Are you wondering how your type of business becomes PCI compliant? Keep reading for an overview of what merchants need to keep in mind, whether they are an eCommerce business, a brick-and-mortar shop — or a mixture of both.
But first, why does all this PCI business matter in this first place? Is it just another bureaucratic, red tape hassle? Not really.
Why Does PCI Compliance Matter?
When merchants don’t give payment security the attention it needs, everybody suffers. However, while a disgruntled customer can order a new card and will likely recoup stolen funds, merchants don’t bounce back so quickly. Here are a few disturbing statistics from UPS Capital:
- Two-thirds of cyber breach victims are small to mid-sized businesses.
- 55% of smaller merchants reported a data breach for the year before.
- A significant cyber breach could cost a small business upwards of $80K or more.
- Due to bad press and cost, 60% of small businesses close shop permanently within six months of a cyber attack.
These statistics of a breach can be very sobering, but they illustrate an important point: PCI is just as important, if not more so, for the small business than for anyone else. While the above statistics reference a cyber breach, keep in mind that even a brick-and-mortar shop transmits payment data electronically, so these statistics aren’t only referring to eCommerce shops by any means. Cybersecurity applies to everyone who processes payments electronically. If you have an internet data connection (WiFi or cellular) and use it to accept payments, that means you.
It’s also important to note that PCI compliance and best practices protect you from both an outside and an inside job. For instance, it’s a big no-no to keep full credit card numbers on file and visible to any of your employees, but the PCI Council found that many businesses of all types do this very thing! It’s not hard to see how data breaches are so common. Unsecured payment data makes it too easy for an untrustworthy staff member or for a hacker who is lurking on your network to strike gold. Proper security measures protect your customer’s card, and ultimately they safeguard your good name — and all of your hard earned revenue.
Everyone who processes credit cards needs to be PCI compliant. It’s just that simple. If you are found non-compliant, you’ll have to rectify the situation, and you’ll face non-compliance fees if you don’t.
Note: The individual payment processing companies, not the PCI Council, determine the enforcement of compliance and non-compliance penalties, even though the card networks are the ones who mandate compliance. The PCI Council recommends that merchants direct any questions regarding non-compliance penalties or enforcement of compliance to their processors, as they’ll best be able to assist you.
For more information on PCI compliance and costs, visit our post, PCI Compliance Fees: A Fair Processing Charge Or A Junk Fee?
How Do You Become PCI Compliant?
It is likely that if you are reading this post, you are a level 4 merchant — a merchant either processing fewer than 20,000 Visa eCommerce transactions per year or a merchant, regardless of acceptance channel, processing up to 1 million Visa transactions per year. Much of the PCI-DSS is broken down into specific goals with corresponding actionable steps to make sure everything is on the up and up. You may need to do a quarterly scan, an annual self-assessment questionnaire (SAQ), remediate any vulnerabilities and report to the appropriate acquiring bank and card brand. Check out The Quick Guide To PCI DSS Compliance For Small Merchants (Level 4) for more guidance.
The PCI Council breaks down what SAQs your business needs to complete based on the types of transactions your company does. Here is how the processing methods are broken down:
- Shopping cart with the entire internet presence outsourced
- Shopping cart with the payment page entirely outsourced
- Shopping cart with the payment page partially outsourced (some elements hit merchant page)
- Shopping cart with direct post (merchant hosts) payment page
- Shopping cart payment page not outsourced
- POS terminal
- Virtual terminal manual entry
- Virtual terminal card reader
The PCI Council lays out what merchants need to do based on the scope factors above. Merchants that don’t have the in-house expertise typically hire a Qualified Security Assessor that is vetted and approved by the PCI Council to perform on-site assessments and determine the PCI scope and make recommendations. Essentially, security assessors are independent consultants who adhere to the PCI Data Security Standard Assessment Procedures — you can access this list at the official PCI Security Standards site.
Best Practices & Reducing Liability
Some best practices worth mentioning for any business include not using default passwords, keeping firewalls updated, only storing payment information appropriately (e.g., not in a notebook or a Word doc), updating software, and keeping any permissions and documentation as needed.
Many merchants find that reducing their scope and shifting the liability away from their business is the best option. As discussed above, you can simplify things for yourself by adopting tokenization (e.g., digital wallets) or by going with a third party PCI-validated payment processor that takes care of every aspect of PCI compliance for you.
For in-house PCI compliance, security goals should include:
- Building and maintaining a secure network (e.g., use firewall, no default passwords)
- Protecting cardholder data (e.g., encryption or tokenization in transit)
- Supporting a vulnerability management program (e.g., anti-virus software updates)
- Implementing strong access control measures (e.g., unique IDs, need-to-know basis)
- Regularly monitor and test networks (e.g., track and monitor access points to your network)
- Maintaining information security policies (e.g., general admin security)
For more on the actionable steps to take for PCI compliance, visit Everything You Need To Know About PCI DSS Compliance. The tools you use and your PCI scope depend on what type of business you are, so let’s take a look at some of the things you’ll need to consider in the sections below.
PCI Compliance For Brick And Mortar Businesses
If you have a storefront, you’ll need to consider both the software and the hardware you use to process payments. Any equipment that touches credit card information will need to be PCI compliant, but you need to consider the end-to-end security of every transaction.
Tokenization is the current trend buzz that addresses this complete, end-to-end security for the merchant. Tokenization removes the PCI load from the merchant because no credit card data is shared with the merchant directly. Mobile wallets that rely on NFC tokenize data before passing it to the merchant. However, as mentioned earlier in this post, some merchants opt to hire a firm or use a payment processor that tokenizes all payment data when the transaction is made.
Read Determining Your Merchant Risk Level For PCI Compliance for more help on finding your requirements. If you have some in-house risk, your payment processor will likely inform you how to stay compliant. A critical thing to keep in mind is that you should update your POS software and hardware firmware as soon as updates become available.
Securing your wifi networks and general network security are critical components to your PCI compliance over the long term. It’s also worth mentioning again that if your staff ever takes an order over the phone or remotely, never write the numbers down or store them with unsecured software. Advise your team to always record the credit card number directly into the payment software at the virtual terminal — not on a pad of paper, in a word processing document, or anything else.
PCI Compliance For Online Businesses
For the eCommerce shop, PCI compliance liability largely depends on whether or not any data passes through your servers or goes into your site during the checkout process. If any data does pass through your website or server during the checkout process, your PCI scope increases and you have more of an obligation.
To reduce what your company needs to do to stay PCI compliant, you can choose a payment processor and shopping cart software provider that offers their own hosted checkout pages. This option reduces your PCI scope to virtually nonexistent. However, if you prefer to keep customers on your site for the checkout, tools do exist to minimize your risk. In this case, you can expect (at minimum) to complete quarterly scans and self-assessments to ensure PCI compliance.
If you want to store your customer’s credit cards so their card information is on file for faster checkout, you’ll need to procure a PCI compliant vault. You can often find a secure vault through your payment processor, but if the company doesn’t provide one, you can opt for a third-party add-on service to do this.
Also, you also have another option to take payments we haven’t touched on quite yet — invoices. If you send an invoice through a PCI compliant payment processor, the payment provider generates a link for you, and your customer completes the transaction via a secure domain, requiring no extra work for you. You don’t need a website of your own because the invoice software links to a site hosted by your payment processor.
PCI Compliance For Mobile Businesses
You may be happy to know that many mobile point-of-sale apps (mPOS) are automatically PCI compliant, so you don’t need to jump through any additional hoops to take payments! Mobile payment apps work by encrypting the card data as soon as the card is inserted, tapped, or swiped, so the payment data never touches your phone or device. It’s all routed through a secure network maintained by the processor offsite. Hooray for simplicity!
Are You Ready To Become PCI Compliant?
We covered a lot of ground in this post, yet we still really only scratched the surface when it comes to PCI compliance. Most small businesses have minimal actions to take, so don’t feel overwhelmed by the prospect. You can always hire an outside assessor to help you mitigate in-house risks, or choose a third-party processor to take the entire PCI burden of risk for you. However, even with the burden shifted, you’ll still need to stay on top of any software updates and inform your staff of best practices — like never writing a credit card number down!
The main takeaway we want to stress is that PCI compliance is never a one-and-done event. Think of it as a 3-step process of assessing, remediating, and reporting. So whether that is your organization bearing the brunt of the PCI load or utilizing an outside company, there is always effort (and cost) involved. Understanding the factors involved with payment security and how they safeguard your business can lessen the sting of the PCI compliance fees some processors charge. And if you don’t pay to protect your business with PCI compliance, you could end up paying non-compliance fees to your processor, as previously touched on in the post.
Ultimately, PCI compliance protects your business from very costly risks of a data breach, so this is one aspect of your business you’ll want running on all cylinders from the get-go. You’ve made it this far, so be encouraged that payment security is just one more important step towards running a business successfully and protecting all of your hard work!