What Is PCI Compliance & How Does It Affect Your Business?
If you are a small business owner, your passion probably lies somewhere other than payment security — and that’s okay. While the topics of PCI compliance, data breaches, fines, and the like can make even the most even-tempered among us a little twitchy and tense, this subject doesn’t have to be stressful. If you find yourself in new territory and wondering, What is PCI compliance? — you’re in the right spot!
Arming yourself with a basic understanding of PCI can help you navigate a lot more than you think when it comes to choosing the payment processor, merchant account, or outside payment security specialists you may need.
Rest easy, merchants. This post aims to clarify the basics of PCI compliance and get you on the right path to secure your business — and your peace of mind.
Table of Contents
What Does PCI Stand For?
PCI stands for a shortened version of the acronym PCI-DSS, which stands for Payment Card Industry-Data Security Standard. The regulatory standards established by the Payment Card Industry Security Standards Council (the governing body for all PCI-related matters) aim to protect sensitive credit card data through the entire payment processing cycle.
If you accept credit card payments (even just over the phone or once in a while), PCI compliance applies to you. Any organization or seller, regardless of size, that accepts, stores, processes, and transmits cardholder data during a credit card transaction is on the hook as far as preventing fraud and data breaches. The required procedures established by the PCI Council minimize the chances of a data breach, protecting you, your business, and (most importantly) your customers.
Before we go onto the “how” of becoming PCI compliant, let’s take a look at the “who,” “what,” and “why” of PCI. You’ll have a much better understanding of the landscape when you have this bit of knowledge under your belt.
The five major credit card brands got together to form the PCI Security Standards Council in 2006. The founding members of the council include:
- American Express
- Discover Financial Services
- JCB International
- Mastercard
- Visa, Inc.
Representatives from the five major payment brands make up the Executive Committee, and as you can imagine, these folks are the ones who set up the policies that form the rules we all must follow when we accept credit cards from their respective brands. Other large brands contribute to the council in a consulting role, too. Square (see our review), one of the largest payment services providers (PSPs), also sits on the board to help formulate policy pertaining to new technology and updating best practices.
When it comes to policy setting in the world of payment security, it’s never a one-off event. Policies are always evolving. As new risks emerge, the PCI Council introduces updated payment security regulations to keep payment technology fresh and stay one step ahead of fraudsters.
Thus, just as the PCI security standards evolve to stay ahead of security risks, merchants must also keep up to date with the latest best practices. Now let’s keep moving forward to uncover what PCI compliance means for you!
What Is PCI Compliance?
In a nutshell, PCI compliance focuses on making sure that the payment data stays secure for the whole payment lifecycle. Whenever you take a credit card, store it, process or transmit the card data for payment, there is a PCI guideline to do it securely. Keep in mind that the more places payment information gets passed or recorded, the greater a merchant’s PCI scope is. That’s why the decisions you make when you set up payment processing or launch your eCommerce site will have long-lasting consequences on your PCI compliance efforts.
PCI Scope
PCI scope is, according to the PCI SSC, “… the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD).” It refers to any of your equipment, software, or hardware that processes, stores, or transmits credit card data. Some credit card processors take care of PCI compliance for you, which reduces your PCI scope and what you have to do to remain PCI compliant. As an example, Square is a payment service provider (PSP) that acts as the merchant of record on your behalf. As such, you never store or transmit the card data through your own system. It’s all through Square’s PCI-compliant hardware and software.
The payment methods you accept also may increase or decrease your scope. For instance, if you store credit card data on your servers for recurring billing, you have greater PCI scope than if your customer uses a digital wallet for an in-house purchase. That’s because in the first case, you have to store card data safely (e.g., think firewalls and security), but when you accept a digital wallet payment from Google Pay or Apple Pay, your business doesn’t come into contact with any credit card data directly — it’s all tokenized. eCommerce-only businesses, for example, can reduce the scope of their PCI compliance requirements by using a hosted payment page offered by their provider rather than having customers check out directly from their business website.
If you are curious about what your payment processor offers as far as PCI compliance and payment security measures, inquire with them directly. If your company requires a customized solution or you need to store credit card data on your servers, however, you’ll need to understand more about PCI or hire an outside firm that does.
Merchant Risk Levels
If you don’t have an all-in-one solution that includes PCI compliance, you’re going to need to do some basic tasks to maintain compliance. However, what you do mainly depends on what merchant risk level you fall under, according to the PCI Council. Risk levels are defined by the number of transactions your business processes annually and do not factor in your overall processing volume.
Most small businesses fall at level 4, which is the lowest-risk level of the four. Level 4 businesses are those that process less than 20,000 eCommerce transactions annually, or up to one million transactions annually across all sales channels and card brands. However, if you’ve ever suffered a data breach, your company may be escalated to a higher merchant level to reflect the added risk.
Do I Have To Be PCI Compliant?: PCI Compliance Requirements For Merchants
The bottom line is that, yes, you will need to be PCI compliant if your business accepts credit or debit cards. However, your specific compliance requirements can range anywhere from very easy to very complex (and expensive), depending on how you accept card payments and the size of your business.
Understanding Your PCI Compliance Obligation
While every business needs to be PCI compliant, the risks are higher for larger businesses due to the sheer number of transactions they process. For this reason, the PCI SSC has established a merchant risk level system that categorizes businesses into one of four possible risk levels.
Under this system, PCI compliance requirements are more extensive for level 1 businesses than they are for level 4 enterprises. Which risk level applies to your business will be determined by the number of annual card transactions you process (with distinctions between retail and eCommerce sales) and whether you’ve experienced an actual data breach.
You must know which level of PCI compliance your business falls under and the specific requirements for that level. Unfortunately, many small business owners make the mistake of thinking that they’re too small to make a tempting target for cybercriminals and put minimal effort into securing their payment systems. In reality, it’s these lax security efforts that make them more likely to be hit with a data breach. Small to mid-sized businesses make up the majority of data breach victims, and many are unable to bear the costs associated with responding to the breach. Unlike mega-retailers that can throw millions of dollars into repairing a data breach, small business owners are more likely than not to be forced out of business altogether if they experience a single data breach.
Note: The individual payment processing companies, not the PCI SSC, determine the enforcement of compliance and non-compliance penalties, even though the card networks are the ones who mandate compliance. The PCI Council recommends that merchants direct any questions regarding non-compliance penalties or enforcement of compliance to their processors, as they’ll best be able to assist you.
Am I PCI Compliant?: How To Check Your PCI Compliance
It is likely that if you are reading this post, you are a level 4 merchant – a merchant either processing fewer than 20,000 eCommerce transactions per year or a merchant, regardless of acceptance channel, processing up to one million card transactions per year. Much of the PCI-DSS is broken down into specific goals with corresponding actionable steps to make sure everything is on the up and up. You may need to do a quarterly scan, an annual Self-Assessment Questionnaire (SAQ), remediate any vulnerabilities and report to the appropriate acquiring bank and card brand. Check out The Quick Guide To PCI Compliance For Small Businesses: What You Need To Know & How To Become Compliant for more guidance.
The PCI Council breaks down what SAQs your business needs to complete based on the types of transactions your company does. Here is how the processing methods are broken down:
- Shopping cart with the entire internet presence outsourced
- Shopping cart with the payment page entirely outsourced
- Shopping cart with the payment page partially outsourced (some elements hit merchant page)
- Shopping cart with direct post (merchant hosts) payment page
- Shopping cart payment page not outsourced
- POS terminal
- Virtual terminal manual entry
- Virtual terminal card reader
The PCI Council lays out what merchants need to do based on the scope factors above. Merchants who don’t have the in-house expertise typically hire a Qualified Security Assessor (QSA) vetted and approved by the PCI Council to perform on-site assessments, determine the required PCI scope, and make recommendations. Essentially, security assessors are independent consultants who adhere to the PCI Data Security Standard Assessment Procedures. You can learn more about QSAs and access a list of qualified companies and individuals on the PCI Security Standards Council website.
Merchant Services’ Role In PCI Compliance
Meeting all PCI compliance requirements will inevitably be a team effort between you and your payment processor. There are some steps that your processor will have to perform for you, and there are other steps that you’ll have to do on your own. Just remember that you are ultimately responsible for meeting all PCI compliance requirements, not your processor.
Best practices that you’ll have to do on your own include not using default passwords, keeping firewalls updated, only storing payment information appropriately (e.g., not in a notebook or a Word document), updating software, and keeping any permissions and documentation as needed.
For many merchants, reducing the overall scope of their PCI compliance requirements will be the best strategy. This can be accomplished by using security features such as tokenization or hosted payment pages. Perhaps the easiest way to deal with PCI compliance is to sign up with a payment service provider (PSP) like Square or PayPal, which will take care of almost all compliance requirements for you.
Your provider will also accomplish security scans on your account as needed, and should also assist you in completing and filing the SAQ when required.
Things you can do on your own include the following security practices:
- Build and maintain a secure network (e.g., always use a properly configured firewall, never use default passwords)
- Protect cardholder data (e.g., use encryption or tokenization for all transactions)
- Support a vulnerability management program (e.g., use anti-virus software and keep it updated)
- Implement strong access control measures (e.g., unique IDs for all employees, issued on a strictly need-to-know basis)
- Regularly monitor and test networks (e.g., track and monitor access points to your network)
- Maintain and follow information security policies (e.g., general administrative security)
For more on the actionable steps to take for PCI compliance, refer to our article, The Complete Guide to PCI DSS: Why You Need To Understand PCI Compliance Standards & What Role Payment Processors Play.
For more information on PCI compliance and costs, visit our post, The Complete Guide To PCI Fees: How To Avoid PCI Compliance & Non-Compliance Fees (Plus How To Spot A Scam).
PCI Compliance For Brick And Mortar Businesses
If you have a storefront, you’ll need to consider both the software and the hardware you use to process payments. Any equipment that touches credit card information will need to be PCI compliant, but you need to consider the end-to-end security of every transaction.
Tokenization is the current “gold standard” in easily adoptable security features, reducing the scope of PCI compliance requirements by keeping credit card data off the merchant’s website or processing hardware entirely. Mobile wallets that rely on NFC technology tokenize data before passing it to the payment processing network. Almost all payment processors in the industry today offer tokenization, and most include it as a standard feature.
Securing your Wi-Fi networks and following general network security practices are critical to maintaining PCI compliance over the long term. It’s also worth mentioning again that if your staff ever takes an order over the phone or remotely, never write the numbers down or store them with unsecured software. Advise your team to always record the credit card number directly into the payment software at the virtual terminal — not on a pad of paper, in a word processing document, or anything else.
PCI Compliance For Online Businesses
Whether your business is eCommerce-only or you just have an online sales channel, your PCI compliance requirements will depend primarily on whether or not any cardholder data passes through your servers or goes into your site during the checkout process. If any data does pass through your website or server during checkout, your PCI scope increases, and you have more of an obligation.
To reduce your PCI compliance obligations, you can choose a merchant services provider that offers a hosted checkout page. This option simplifies PCI compliance but requires customers to (temporarily) leave your site to complete the checkout process. Hosted payment pages are popular with small eCommerce businesses that often don’t have the resources to tackle the additional PCI compliance burden that comes with a fully self-hosted website.
If you want to safely store your returning customers’ credit card information so they don’t need to type it in every time they place an order, you’ll need to have a PCI-compliant vault (often called a customer information manager). Today, most of the leading payment gateways on the market offer this service as a standard feature.
You can also accept payments using invoices. If you send an invoice through a PCI-compliant payment processor, the provider can generate a “pay now” link for you. Your customer then completes the transaction via a secure domain, requiring no extra work on your part. You don’t need a website of your own, because the invoice software links to a site hosted by your payment processor.
PCI Compliance For Mobile Businesses
You may be happy to know that many mobile point-of-sale (mPOS) apps are automatically PCI compliant, so you don’t need to jump through any additional hoops to take payments! Mobile payment apps work by encrypting the card data as soon as the card is inserted, tapped, or swiped, so the payment data never touches your phone or device. It’s all routed through a secure network maintained by the processor offsite. Hooray for simplicity!
Are You Ready To Become PCI Compliant?
Hopefully, this post has given you a basic working knowledge of PCI compliance and why it’s important for your business. Most small businesses have minimal actions to take, so don’t feel overwhelmed by the prospect. You can always hire an outside assessor to help you mitigate in-house risks, or choose a payment service provider (PSP) to take the entire PCI burden of risk for you. However, even with the burden shifted, you’ll still need to stay on top of any software updates and inform your staff of best practices — like never writing a credit card number down!
The main takeaway we want to stress is that PCI compliance is never a one-and-done event. Think of it as a continual process of assessing, remediating, and reporting. Whether you handle PCI compliance matters in-house or get outside help from a third-party vendor, there will always be an effort (and cost) involved. It’s also a critical part of accepting payments for merchants, because keeping a secure system is the best way to safeguard customers and your livelihood. Read our guide on payment processing to learn more about the industry as a whole.
Ultimately, PCI compliance protects your business from the very costly risk of a data breach, so this is one aspect of your business where it’s important not to cut corners. For more information on this sometimes complex subject, please refer to our other PCI compliance posts. Good luck!