You likely accept credit and debit card payments every day. But with so much sensitive data, you need robust protection against hackers. Luckily, there is a standardized checklist of measures to defend against fraud.
These security protocols are called the Payment Card Industry Data Security Standard (PCI DSS). Since that’s a mouthful, people simply say a business is “PCI compliant” to mean it follows these strict protective measures. The top credit card companies enforce these rules.
Let’s dive into why your small business needs to stay PCI-compliant.
What is PCI compliance?
PCI compliance is a prescription of security guidelines intended to protect cardholder data during transactions. The standards were incarnated in 2004 by the Payment Card Industry Security Standards Council (PCI SSC). This body is composed of major credit card companies such as Visa, MasterCard, American Express, Discover, and JCB.
Any business that handles credit card information should adhere to these regulations. That’s because PCI compliance also protects businesses. The protocols slash the risk of data breaches and credit card fraud. Consumers trust entities that take security seriously, too. This medley of benefits makes your organization more secure — and more successful.
Why PCI compliance is crucial for small businesses
There are real-world perks to following these strict security fundamentals. Here are the three main motives behind compliance:
- Protects Customer Data: PCI compliance ensures customer data is handled securely, lowering the risk of destructive data breaches so you and your customers sleep better at night.
- Avoids Financial Penalties: Non-compliance can result in steep fines from credit card companies or banks. These fines can enter into the six-figures, which can cripple a small business rapidly.
- Strengthens Customer Trust: It takes hard work and lots of time to earn a person’s trust. PCI compliance accelerates this process as it develops peace of mind among your customer base.
Understanding essential PCI compliance requirements
PCI DSS involves twelve primary requirements. Some mandates involve more technical knowledge to implement. But they’re all crucial to a secure payment environment.
Let’s explore each of the fundamental requirements.
- Install and Maintain a Secure Network: This step includes using firewalls to protect data and block unauthorized access to your network.
- Use Robust Passwords and Security Settings: Avoid using default or weak passwords for systems and devices. Employ strong, unique passwords that are difficult to guess.
Related: How to Create a Secure Password
- Protect Stored Cardholder Data: Encrypt sensitive data, such as credit card numbers, when storing them. Only store data necessary for business operations and ensure it is protected.
- Encrypt Transmission of Cardholder Data: Use encryption protocols like SSL or TLS to protect data when it is transmitted over public networks.
- Use and Maintain Anti-Virus Software: Anti-virus software helps prevent malware and other threats from compromising your systems. Keep this software updated to ensure it can defend against new threats.
- Develop and Maintain Secure Systems and Applications: Regularly update software, including security patches, to protect against known vulnerabilities.
- Restrict Access to Cardholder Data: Limit access to only employees who need it for their job duties. This step reduces the risk of data being accessed by unauthorized individuals.
- Identify and Authenticate Access to System Components: Implement user IDs and passwords to monitor who accesses cardholder data and system components.
- Restrict Physical Access to Cardholder Data: Ensure that any physical copies of cardholder data, such as receipts and photocopies, are stored securely and accessible only to authorized personnel.
- Track and Monitor Access to Network Resources: Use logging mechanisms to monitor access to network resources and cardholder data. Regularly review these logs for any suspicious activity.
- Regularly Test Security Systems and Processes: Conduct vulnerability scans and penetration testing to identify and resolve weaknesses in your security systems.
- Maintain an Information Security Policy: Develop a written security policy that clearly spells out your organization’s approach to PCI compliance and data protection.
The four levels of PCI compliance
PCI compliance is categorized into four levels based on the number of credit card transactions your business processes annually. Understanding these tiers can help you determine which requirements apply to your situation.
Level 1 | Over 6 million card transactions per year from all sales channels. | Must undergo an annual on-site assessment conducted by a Qualified Security Assessor (QSA). |
Level 2 | 1 to 6 million card transactions annually from all sales channels. | Must complete an annual Self-Assessment Questionnaire (SAQ) and conduct a quarterly network scan by an Approved Scanning Vendor (ASV). |
Level 3 | 20,000 to 1 million e-commerce transactions annually. | Must complete an annual SAQ and undergo quarterly network scans. |
Level 4 | Fewer than 20,000 e-commerce transactions annually, OR 1 million or fewer transactions from all sales channels. | Must complete an annual SAQ and conduct quarterly scans. |
Most small businesses fall under Level 3 or Level 4. As a result, they can often manage compliance themselves with the right tools and guidance.
Achieving PCI compliance for your small business
Achieving PCI compliance can feel daunting. However, each step is manageable even among smaller organizations. Here’s a step-by-step guide to help you get started:
Step 1: Determine your PCI compliance level
Identify your level based on the volume of credit card transactions your business processes annually. This figure dictates the type of assessment and documentation you need to complete.
Step 2: Complete a self-assessment questionnaire (SAQ)
The SAQ is a series of questions that assess your organization’s security practices. Choose the form that matches your business model and payment methods. For example, SAQ A is suitable for merchants that outsource all cardholder data functions to a third party.
Tip: SAQs and related resources can be found on the PCI Security Standards Council website.
Step 3: Conduct a vulnerability scan
Work with an approved scanning vendor (ASV) to perform a vulnerability audit of your systems. This procedure surfaces security weaknesses in your network.
Step 4: Address any security gaps
Analyze the SAQ and vulnerability scan results to address any identified weaknesses. This response could involve updating your firewall, improving password practices, or deploying more robust encryption.
Step 5: Submit attestation of compliance (AOC)
Once you’ve cleared the necessary assessments and scans, submit your attestation of compliance to your bank or payment processor. This documentation proves you’ve cleared the PCI DSS requirements.
Step 6: Maintain Ongoing Compliance
PCI compliance is an ongoing effort. Regularly monitor your security practices, conduct quarterly scans, and keep software and systems updated to stay in the clear.
Related: 14 PCI Compliance security best practices for your business
Common PCI compliance myths debunked
There are oodles of false claims and hearsay surrounding PCI compliance. Let’s debunk the most common assertions.
- “PCI Compliance is Only for Large Businesses”: Entities of any size must comply with PCI DSS to accept bank cards. In fact, smaller establishments are often more attractive to criminals due to a perception of substandard security.
- “PCI Compliance Guarantees Complete Security”: PCI compliance is only one part of your broader data security strategy. It’s not entirely foolproof, and data breaches can still happen. Still, it’s a significant protective measure that dramatically cuts the likelihood of falling victim to fraud.
- “PCI Compliance is Too Expensive for Small Businesses”: Smaller businesses enjoy a more lax (and less expensive) approval process. Plus, regardless of size, prevention is the best medicine. A data breach can result in massive costs and reputational damage, so PCI compliance is a prudent and cost-effective route.
FAQ
What does PCI stand for?
PCI stands for Payment Card Industry. This term refers to the group of companies that process bank card transactions. Some prominent entities are Visa, Mastercard, and Discover.
What does PCI compliance mean?
PCI compliance means adhering to the standards outlined in the Payment Card Industry Data Security Standard (PCI DSS). The goal of compliance is to operate your business securely to safeguard consumer data and minimize the risk of fraud and cyberattacks.
What are the four levels of PCI compliance?
The four levels of PCI compliance revolve around the number of credit card transactions a business processes annually. Here are the criteria for each one:
- Level 1: Over 6 million transactions annually.
- Level 2: 1 to 6 million transactions per year.
- Level 3: 20,000 to 1 million e-commerce transactions each year.
- Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million transactions across all channels every year.
Is PCI compliance required by law?
PCI compliance is not legally mandated. It’s a requirement imposed by credit card companies and banks. Failing to comply can spawn fines, increased transaction fees, or the possibility of getting banned from the payment processor.
Can I do PCI compliance myself?
Yes, small business owners can achieve PCI compliance on their own. Entities with fewer than 20,000 e-commerce transactions annually, or less than one million transactions from any sales channel, have more lax compliance requirements. If your business falls under either of these two categories, then you are more likely to succeed at handling PCI compliance yourself.