What Is PCI Compliance? Retail & Restaurant Guide
When you accept credit or debit cards as payment, there are PCI compliance guidelines to process the card securely. Is your small business PCI compliant?
So, what is PCI compliance, and what does it have to do with your retail or restaurant business?
PCI compliance is important to any business that takes payment, and even if you might not know much about payment security, we’re here to help! Read on to learn more about the basics of PCI compliance and how you can secure your business and peace of mind.
Table of Contents
What Is PCI Compliance?
Payment Card Industry-Data Security Standard PCI DSS Compliance rules are a set of standardized measures that were created by major credit card companies to protect customers’ card numbers and personal information. These rules apply to any business that accepts debit or credit card payments regardless of industry or location. PCI compliance ensures that payment data stays secure for the entire payment lifecycle.
These rules and regulations have been updated multiple times since they were created in 2006. PCI DSS 4.0 was released in March 2022 and will replace PCI DSS 3.2.1 in March 2025.
Do I Have To Be PCI Compliant?
If your business accepts debit or credit card payments, yes, you will need to be PCI compliant.
Your specific compliance requirements can range from easy to complex (and expensive) depending on how you accept card payments and the size of your business.
Understanding Your PCI Compliance Obligation
As we mentioned briefly above, risks are higher for larger businesses because of the number of transactions they process. This is why the merchant risk level exists.
It’s your responsibility as a business owner to know which merchant risk level your business falls under and what the specific PCI compliance requirements are for that level.
Contrary to popular belief, just because you are a small business doesn’t mean that you’re too small for cybercriminals and fraudsters to make you a target. In reality, lax security efforts make you more likely to suffer from a data breach. Small to mid-sized businesses make up the majority of data breach victims and are often unable to bear the costs associated with responding to the breach.
Note: The individual payment processing companies, not the PCI SSC, determine the enforcement of compliance and non-compliance penalties, even though the card networks are the ones who mandate compliance. The PCI Council recommends that merchants direct any questions regarding non-compliance penalties or enforcement of compliance to their processors, as they’ll best be able to assist you.
Am I PCI Compliant?
More likely than not, if you’re reading this article, you run a level 4 business. Most of the PCI-DSS is broken down into specific goals with corresponding actions you need to take to make sure you are remaining compliant.
We recommend doing a quarterly scan, and an annual Self-Assessment Questionnaire (SAQ). Then fix any vulnerabilities and report them to the appropriate acquiring bank and card brand. Read our quick guide to PCI compliance for small businesses to learn more.
The PCI Council breaks down what SAQs your business needs to complete based on the types of transactions your company does. Here is how the processing methods are broken down:
- Shopping cart with the entire internet presence outsourced
- Shopping cart with the payment page entirely outsourced
- Shopping cart with the payment page partially outsourced (some elements hit merchant page)
- Shopping cart with direct post (merchant hosts) payment page
- Shopping cart payment page not outsourced
- POS terminal
- Virtual terminal manual entry
- Virtual terminal card reader
The PCI Council lays out what merchants need to do based on the scope factors above. Merchants who don’t have the in-house expertise typically hire a Qualified Security Assessor (QSA) vetted and approved by the PCI Council to perform on-site assessments, determine the required PCI scope, and make recommendations.
Essentially, security assessors are independent consultants who adhere to the PCI Data Security Standard Assessment Procedures. You can learn more about QSAs and access a list of qualified companies and individuals on the PCI Security Standards Council website.
How Do I Make Sure My Business Is PCI Compliant?
You will need to work with your payment processor in order to remain PCI compliant. There are some steps they will have to complete for you and others you will complete on your own. You are ultimately responsible for meeting the PCI compliance requirements, not your processor.
Am I PCI Compliant Through My Point Of Sale?
Potentially, yes! A lot of credit card processors take care of PCI compliance for you. This ultimately reduces your PCI scope and makes your life easier.
Square is a PSP (payment service provider) that acts as a merchant of record on your behalf. This way, you never store or transmit the card data through your own system, it’s all through Square’s PCI compliant hardware and software.
If you are curious about what your payment processor offers as far as PCI compliance and payment security measures, inquire with them directly. If your company requires a customized solution or you need to store credit card data on your servers, however, you’ll need to understand more about PCI or hire an outside firm that does.
Again, just because you are PCI compliant through your PSP doesn’t mean your system is completely secure. Make sure that your employees understand the importance of only entering or storing payment information in your PCI compliant software.
Are You Ready To Become PCI Compliant?
The main takeaway we want to stress is that PCI compliance is never a one-and-done event. Think of it as a continual process of assessing, remediating, and reporting.
Whether you handle PCI compliance matters in-house or get outside help from a third-party vendor, there will always be an effort (and cost) involved. It’s also a critical part of accepting payments for merchants because keeping a secure system is the best way to safeguard customers and your livelihood.