As a business owner, you’re assuredly concerned with your security. If you’ve got brick-and-mortar stores, you want to ensure that goods are locked, the store has trustworthy employees and you’ve got the processes in place that employees can easily follow to keep your store secure. You’ve also got electronics policies that help ensure your point-of-sale and other systems are secure. What are you doing, however, to keep your customers’ information protected against hackers and thieves?
That’s what PCI - or Payment Card Industry - compliance is all about. While not technically required by law, PCI compliance is a crucial way that customers, other businesses and your banking partners know that you’re handling information securely. Here, we’ll look at what PCI compliance is, what it can do for you and why being compliant is such a good idea.
Curious about PCI compliance? Swipesum provides information on PCI in account approval emails, during onboarding, and after onboarding. We provide links and information for video tutorials that lead you through the questionnaires to get compliant. Book a free consultation today.
PCI stands for Payment Card Industry and compliance with it means that your business has achieved and continues to follow the Payment Card Industry Data Security Standards. In the simplest terms, PCI are a series of standards that establish what a merchant or business needs to do to ensure they’re handling credit card information appropriately. By completing the Data Security Standards Process, businesses are proclaimed to be PCI compliant. So what does that actually mean?
There are 12 major steps to ensure PCI compliance.
The policy boils down to a series of fairly simple security measures that any card processor or business handling payment card information should be able to easily follow. The goal of the requirements is to protect customer data and the requirements are meant to be adopted broadly.
Payment card companies care a great deal about ensuring merchants are handling information securely - but why? Two main reasons. First, credit card companies are generally on the hook for covering fraudulent charges that are on their customers’ accounts. In fact, it’s become a staple of most credit cards and one of the many reasons it can sometimes be smarter for customers to use credit instead of debit. The second reason is that they want to keep their customers happy broadly and so should you!
Like we said in the intro, there is no legal requirement for your business to be PCI compliant. Neither any federal or state law nor any regulation requires compliance. It is, however, mandated if you’re planning to accept credit cards at your business. So what can happen if you’re not PCI compliant? Well, first of all, payment card companies can turn off the spigot. That’s right, they won’t allow you to process payments anymore. If that isn’t bad enough, non-compliance fees start out at $5,000 per incident and go right on up the chain to $20,000. Small businesses won’t survive all that long paying fines like that.
Generally, your merchant account provider will offer PCI compliance services. There is likely a fee for this service but it can take some of the headache out of managing things yourself. Additionally, you can hire consultants to assist you with PCI compliance. You can also do it yourself, at no cost. All you have to do for PCI compliance is complete and file a self-assessment questionnaire each year along with records of the scans that are required of your payment network. There may be some additional paperwork required but it should all be relatively straightforward for businesses to complete.
You’ll then sign an attestation form that you agree to remain compliant and that’s it! You’ll get a nice certificate. For most small businesses, this is sufficient and as long as you continue meeting requirements, you won’t have any issues. If you’re a larger business and fall into a higher “compliance level,” you may have to submit your network to security scans by an approved vendor.
Compliance levels are based on the number of transactions you process in a given year.
If you’re a small business or perhaps doing some sales on the side, you can see that you likely fall into Level 4. Many medium sized businesses, restaurants, bars and other businesses you may find around town, likely fall into PCI Level 2 or 3. Level 1 is usually reserved for very large companies.
There are a few things to keep in mind when you’re determining your compliance level, getting PCI compliant and holding on to that designation.
Your payment processor should have fairly robust reporting tools that allow you to see how many transactions you’ve processed. Get a firm understanding of this number and ensure you apply appropriately. Being too low can result in fines. Being too high means you’re paying for things you don’t need to.
Security of your customers’ information should always be right on the top of your mind. It’s good business and bad data privacy policies can lead to some very expensive lawsuits.
PCI compliance can be confusing. Determining your level, understanding what you actually need to do - and most importantly, what you don’t - and keeping those programs running can be time consuming and expensive if you do things wrong.
Swipesum can help. Our proprietary software helps analyze your transactions to determine where fees might be bogging your business down. Our consulting services are designed to help you maximize your time running your business, not filling out paperwork.
Swipesum provides information on PCI in account approval emails, during onboarding, and after onboarding. We provide links and information for video tutorials that lead you through the questionnaires to get compliant.