You likely accept credit and debit card payments every day. But with so much sensitive data, you need strong protection against hackers. Fortunately, there is a standardized checklist of measures to defend against fraud.
These security protocols are called Payment Card Industry Data Security Standard (PCI DSS). Since this is a mouthful, people simply say that a company is “PCI compliant” to mean that it follows these strict protection measures. Major credit card companies enforce these rules.
Let's discuss why your small business should be PCI compliant.
What is PCI compliance?
PCI compliance is a prescription of security guidelines intended to protect cardholder data during transactions. The standards were embodied in 2004 by the Payment Card Industry Security Standards Council (PCI SSC). This body is made up of major credit card companies such as Visa, MasterCard, American Express, Discover and JCB.
Any company that handles credit card information must comply with these regulations. This is because PCI compliance also protects businesses. The protocols reduce the risk of data breaches and credit card fraud. Consumers also trust entities that take security seriously. This combination of benefits makes your organization safer and more successful.
Why PCI Compliance is Crucial for Small Businesses
There are real-world advantages to following these strict security fundamentals. These are the three main reasons behind compliance:
- Protect customer data: PCI compliance ensures that customer data is handled securely, reducing the risk of destructive data breaches so you and your customers sleep better at night.
- Avoid Financial Sanctions: Failure to comply can result in heavy fines from credit card companies or banks. These fines can run into six figures, which can quickly cripple a small business.
- Strengthens customer confidence: It takes a lot of work and a lot of time to earn a person's trust. PCI compliance speeds up this process as you create peace of mind among your customer base.
Understand essential PCI compliance requirements
PCI DSS involves twelve main requirements. Some mandates involve more technical knowledge to implement. But they are all crucial to a secure payment environment.
Let's explore each of the fundamental requirements.
- Install and maintain a secure network: This step includes using firewalls to protect data and block unauthorized access to your network.
- Use strong passwords and security settings: Avoid using default or weak passwords for systems and devices. Use strong, unique passwords that are difficult to guess.
Related: How to create a strong password
- Protect stored cardholder data: Encrypt sensitive data, such as credit card numbers, when storing it. Store only the data necessary for business operations and ensure it is protected.
- Encrypt cardholder data transmission: Use encryption protocols such as SSL or TLS to protect data when transmitted over public networks.
- Use and maintain antivirus software: Antivirus software helps prevent malware and other threats from compromising your systems. Keep this software updated to ensure it can defend against new threats.
- Develop and maintain secure systems and applications: Update software regularly, including security patches, to protect against known vulnerabilities.
- Restrict access to cardholder data: Limit access to only employees who need it for their job duties. This step reduces the risk of unauthorized persons accessing the data.
- Identify and authenticate access to system components: Implement user IDs and passwords to monitor who accesses cardholder data and system components.
- Restrict physical access to cardholder data: Ensure that any physical copies of cardholder data, such as receipts and photocopies, are stored securely and only accessible to authorized personnel.
- Tracking and monitoring access to network resources: Use logging mechanisms to monitor access to network resources and cardholder data. Periodically review these logs for any suspicious activity.
- Periodically test security systems and processes: Perform vulnerability scanning and penetration testing to identify and resolve weaknesses in your security systems.
- Maintain an Information Security Policy: Develop a written security policy that clearly outlines your organization's approach to PCI compliance and data protection.
The four levels of PCI compliance
PCI compliance is classified into four levels based on the number of credit card transactions your company processes annually. Understanding these levels can help you determine which requirements apply to your situation.
Level 1 | More than 6 million card transactions per year from all sales channels. | You must undergo an annual on-site assessment by a Qualified Security Assessor (QSA). |
Level 2 | 1 to 6 million card transactions annually from all sales channels. | You must complete an annual Self-Assessment Questionnaire (SAQ) and perform a quarterly network scan by an Approved Scanning Vendor (ASV). |
Level 3 | Between 20,000 and 1 million e-commerce transactions per year. | You must complete an annual SAQ and undergo quarterly network analysis. |
Level 4 | Less than 20,000 e-commerce transactions per year, EITHER 1 million or fewer transactions from all sales channels. |
You must complete an annual SAQ and perform quarterly scans. |
Most small businesses are at Level 3 or 4. As a result, they can often manage compliance on their own with the right tools and guidance.
Achieve PCI Compliance for Your Small Business
Achieving PCI compliance can be overwhelming. However, each step is manageable even among smaller organizations. Here's a step-by-step guide to help you get started:
Step 1: Determine your PCI compliance level
Identify your tier based on the volume of credit card transactions your business processes annually. This figure dictates the type of assessment and documentation you must complete.
Step 2: Complete a self-assessment questionnaire (SAQ)
The SAQ is a series of questions that evaluate your organization's security practices. Choose the form that matches your business model and payment methods. For example, SAQ A is suitable for merchants who outsource all cardholder data functions to a third party.
Advice: The SAQs and related resources can be found on the PCI Security Standards Council website.
Step 3: Perform a vulnerability scan
Work with an Approved Scanning Vendor (ASV) to perform a vulnerability audit of your systems. This procedure reveals security weaknesses in your network.
Step 4: Address any security gaps
Analyze the results of the SAQ and vulnerability scanning to address any identified weaknesses. This response could involve updating your firewall, improving password practices, or implementing stronger encryption.
Step 5: Submit Certification of Compliance (AOC)
Once you have passed the necessary assessments and scans, submit your compliance statement to your bank or payment processor. This documentation demonstrates that you have met PCI DSS requirements.
Step 6: Maintain ongoing compliance
PCI compliance is an ongoing effort. Regularly monitor your security practices, perform quarterly scans, and keep software and systems updated to stay safe.
Related: 14 PCI Compliance Security Best Practices for Your Business
Common PCI Compliance Myths Debunked
There are tons of false claims and rumors about PCI compliance. We deny the most common claims.
- “PCI compliance is only for large companies”: Entities of any size must comply with PCI DSS to accept bank cards. In fact, smaller establishments are often more attractive to criminals due to perceived poor security.
- “PCI compliance ensures total security”: PCI compliance is just one part of your broader data security strategy. It is not entirely foolproof and data breaches can still occur. Still, it is an important protective measure that drastically reduces the likelihood of being a victim of fraud.
- “PCI compliance is too expensive for small businesses”: Smaller companies enjoy a more lax (and less expensive) approval process. Plus, regardless of size, prevention is the best medicine. A data breach can result in massive costs and reputational damage, making PCI compliance a prudent and cost-effective route.
Frequently asked questions
What does PCI mean?
PCI stands for Payment Card Industry. This term refers to the group of companies that process bank card transactions. Some notable entities are Visa, Mastercard and Discover.
What does PCI compliance mean?
PCI compliance means adhering to the standards outlined in the Payment Card Industry Data Security Standard (PCI DSS). The goal of compliance is to operate your business securely to safeguard consumer data and minimize the risk of fraud and cyber attacks.
What are the four levels of PCI compliance?
The four levels of PCI compliance revolve around the number of credit card transactions a company processes annually. Here are the criteria for each:
- Level 1: More than 6 million transactions a year.
- Level 2: From 1 to 6 million transactions per year.
- Level 3: Between 20,000 and 1 million e-commerce transactions each year.
- Level 4: Less than 20,000 e-commerce transactions or up to 1 million transactions across all channels each year.
Is PCI compliance a legal requirement?
PCI compliance is not a legal mandate. It is a requirement imposed by credit card companies and banks. Failure to comply may result in fines, increased transaction fees, or the possibility of being banned from the payment processor.
Can I become PCI compliant myself?
Yes, small business owners can achieve PCI compliance on their own. Entities with fewer than 20,000 e-commerce transactions per year, or fewer than one million transactions from any sales channel, have more relaxed compliance requirements. If your business falls into either of these two categories, you are more likely to be successful in managing PCI compliance yourself.