PCI compliance applies to any business that accepts card payments, including seasonal or small businesses.
To become PCI compliant, a business typically must do three things:
Meet the requirements set out by the Payment Card Industry Security Standards Council.
Complete an assessment that shows how secure a business's systems and practices are. Most small businesses can perform a self-assessment.
Perform a scan of the network used to process payments. This technical exercise requires the help of an outside firm.
Determining whether your business is PCI compliant requires a thorough assessment of security practices every year. Although the PCI compliance requirement is universal, validation requirements and assessments may be slightly different, depending on the card network. The type of annual assessment required depends on a few factors, including the volume of card transactions.
A business falls into one of four category levels. For example, the following are the compliance levels for Visa:
Level 1 merchants are those that process more than 6 million Visa transactions per year across all channels, or are global merchants identified as Level 1.
Level 2 merchants are those that process between 1 million and 6 million Visa transactions per year across all channels.
Level 3 merchants are those that process 20,000 to 1 million e-commerce Visa transactions per year.
Level 4 merchants are those that process fewer than 20,000 e-commerce Visa transactions, or those processing up to 1 million total annual Visa transactions.
Merchants that have had a hack or cyber attack that led to data loss may be moved to a higher validation level by Visa.
Some small businesses can perform a self-assessment. Larger businesses must hire third-party auditors. There are multiple self-assessment questionnaires: the one you take depends on your particular payment setup. For example, Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties, like Stripe.
There are four layers of groups involved in PCI compliance, beginning with the card networks that created it down to the individual businesses that accept customer payments.
Each card network, like Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.
American Express, Discover, JCB International, Mastercard and Visa founded this organization in 2006. It creates broad security standards, certifies vendors, and tests and certifies payment technology.
Businesses use merchant account providers or payment service providers to gain the ability to accept card payments. In addition to following the rules set by each card provider, they also function as de facto administrators of PCI compliance for businesses by including specific PCI compliance-related requirements in the terms of their contracts or agreements.
Every business must meet the requirements set forth by its merchant account provider. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face hefty fees or even lose your merchant account.
Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.
PaySimple, for example, charges a $5.95 monthly fee for access to a “PCI tool” and a $59.95 monthly fee if you are not in compliance.
Dharma Merchant Services doesn’t have a PCI compliance charge, but there is a $39.95 monthly fee for noncompliance..
Some companies don’t have any information listed on their website, or they may have vague “service fees” that may or may not include PCI-related items.
Weighing the cost of this fee, if any, against the services you receive can play a role in choosing a payment processor. Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants can expect to pay from $300 to $1,000 or more annually to hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.
Given the technical nature of data security, completing the assessment questionnaire can be challenging for small-business owners who must address all the issues before submitting it. The following steps can make the process easier.
Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:
Use strong passwords.
Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer cloud-based systems are built with strong encryption, and typically receive updates automatically.
Store only what you need. You probably don’t need to store physical copies of receipts.
Don’t click on suspicious links.
Only use card readers and payment software that are validated by the PCI Security Standards Council.
Educate employees about the importance of protecting cardholder data.
Self-assessment questionnaires are technical in nature and can frustrate business owners, Glover says. Some people are tempted to simply check yes to all the questions on the questionnaire without giving the questions much thought.
“People just get frustrated,” Glover says. “We see this a lot. This is a business risk you’re taking.” He says that if a business owner does this and is later compromised, penalties are often stiffer. If you’re unsure of how to handle these questionnaires, consider asking your payment processor for clarification or seeking help from an outside agency.
The point-of-sale, or POS, system that you use can make PCI compliance easier. Using an up-to-date cloud-based POS that integrates payment processing, a POS system and card readers can minimize security risks. These end-to-end systems are usually secure, low-maintenance and often include PCI compliance support.
Some business owners piece together an array of products and services from different companies, but these systems can be less secure and often depend on the owner keeping everything up-to-date.
Find out which level your business falls under.
Find out which assessment you must use.
The specific compliance requirements in your contract.
Whether it has consultant recommendations should you need help.
Whether you are paying a PCI compliance fee.
Compliance services it provides or recommends.