What Is PCI Compliance?

What Is PCI Compliance and How To Become Compliant

As a small business owner, one of the most important things you can do is educate yourself on cybersecurity and how to prevent data breaches. If your business accepts credit card payments in person and/or online, cyber criminals are trying to get their hands on that cardholder information.

A data breach can be very costly, even for small businesses. According to a 2020 report by Kaspersky, the average cost of a single incident for small to medium businesses was $101,000.

To help businesses protect their customers’ payment data, the PCI Security Standards Council, consisting of Visa, Mastercard and Discover, established the Payment Card Industry Data Security Standards (PCI DSS). Today, all businesses that accept credit card payments are required to be PCI compliant.

What Is PCI Compliance and Why Is It Important?

The PCI Data Security Standards are designed to ensure all companies that accept, process or store credit card information maintain a secure environment for their data to prevent fraud. It is a self-regulated mandate that is enforced by credit card networks and processors.

By adhering to PCI standards, you can protect your business in the following ways:

• You will be protected from lawsuits from customers whose credit card information was exposed.
• You will not incur fees or fines from credit card networks.
• Your reputation with customers will not be harmed. You don’t want to be known as the business that lost everyone’s credit card information in a data breach.

Common Mistakes That Lead to Non-Compliance

One of the most common mistakes that could make you non-compliant is writing down the customers’ credit card number on a sheet of paper and not destroying it as soon as it has been used. Cardholder information kept this way can be easily stolen by employees or other individuals.

Another mistake is not adding a standard CAPTCHA to your online payment page. Hackers will oftentimes use bots to test out stolen credit card numbers with many small transactions ($1 or less) to see if they work. This is especially prevalent for nonprofit donation pages, where the payor can select the amount. The CAPTCHA helps ensure that only a human is utilizing the payment page.

How To Become PCI Compliant

The requirements for becoming PCI compliant vary based on your transaction volume over a 12-month period. Merchants will fall into one of four categories:

• Level 1: More than 6 million card transactions annually.
• Level 2: 1 to 6 million transactions annually.
• Level 3: 20,000 to 1 million transactions annually.
• Level 4: Fewer than 20,000 transactions annually.

If your business has multiple locations or you are operating multiple businesses, Visa will add those transactions together to determine your level.

Depending on your level, you will complete a Self Assessment Questionnaire (SAQ) once per year where you think about how you are handling cardholder information. Some sample questions may include:

• Are all users assigned a unique ID before allowing them to access system components or cardholder data?
• Is all media destroyed when no longer needed for business or legal reasons?
• Is there a written agreement between you and the service provider (card processor) that acknowledges the provider’s responsibility for card data security?

The questionnaire may serve as a roadmap to compliance. If you don’t pass on the first try, you can make changes to your security procedures based on the results and take it again.

Once you’ve completed the SAQ and made changes to become compliant, you must ensure that the policy is written down and your employees know the proper way to handle customer payment information.

Our partners at Professional Solutions work with SecurityMetrics to administer the SAQs and they have outlined the 12 requirements of PCI DSS compliance on their blog.

What if I’m Not PCI Compliant?

The ramifications of not being PCI compliant range from a small monthly fee to a fine large enough to put some small companies out of business.

• Your credit card processor may charge you a monthly fee of up to $100 until you complete an SAQ and achieve compliance.
• If there is a data breach and your customers’ credit card information is compromised, a credit card network could charge you a fine of $5,000 or more. Depending on how many cards are compromised in an attack, the fine could be as high as $500,000 or more.
• The merchant account that suffered a breach may be terminated and you could be blacklisted from opening merchant accounts with other processors.

Professional Solutions Offers a Quality PCI Compliance Program

When you select our partners at Professional Solutions as your credit card processor, becoming and remaining PCI compliant is easy. All merchant customers are automatically enrolled in their PCI DSS program through Security Metrics and the compliance requirements can be completed online.

To learn more about PCI compliance and credit card processing through Professional Solutions, visit their website.

For more tips on how to improve your small business cybersecurity, check out this post on the Biz Buzz Blog.