What Is PCI Compliance and What Does It Mean for My Business?

Rounding it up

• PCI compliance varies on levels, or the number of transactions you process in a year.
• There are 12 requirements to compliance and most businesses will perform a security scan, fill out some forms and sign an attestation.
• Larger businesses may have to have third-party security scanners come on site to audit the network.
• PCI compliance isn’t overwhelmingly expensive, but it can be if you don’t do it right. Merchants often their PCI status, or perhaps putting it on the backburner. Over time, this risks being shut down by a processor for not being PCI compliant!

As a business owner, you’re assuredly concerned with your security. If you’ve got brick-and-mortar stores, you want to ensure that goods are locked, the store has trustworthy employees and you’ve got the processes in place that employees can easily follow to keep your store secure. You’ve also got electronics policies that help ensure your point-of-sale and other systems are secure. What are you doing, however, to keep your customers’ information protected against hackers and thieves?

That’s what PCI - or Payment Card Industry - compliance is all about. While not technically required by law, PCI compliance is a crucial way that customers, other businesses and your banking partners know that you’re handling information securely. Here, we’ll look at what PCI compliance is, what it can do for you and why being compliant is such a good idea.

Curious about PCI compliance? Swipesum provides information on PCI in account approval emails, during onboarding, and after onboarding. We provide links and information for video tutorials that lead you through the questionnaires to get compliant. Book a free consultation today.

What is PCI?

PCI stands for Payment Card Industry and compliance with it means that your business has achieved and continues to follow the Payment Card Industry Data Security Standards. In the simplest terms, PCI are a series of standards that establish what a merchant or business needs to do to ensure they’re handling credit card information appropriately. By completing the Data Security Standards Process, businesses are proclaimed to be PCI compliant. So what does that actually mean?

What are the Steps to Ensure PCI Compliance?

There are 12 major steps to ensure PCI compliance. 

1. Implement firewalls to protect data
2. Appropriate password protection (such as 2FA)
3. Protect cardholder data
4. Encryption of transmitted cardholder data
5. Utilize antivirus and anti-malware software
6. Update software and maintain security systems on a regular basis
7. Restrict access to cardholder data
8. Unique IDs assigned to those with access to data
9. Restrict physical access to data storage
10. Create and monitor access logs
11. Test security systems on a regular basis
12. Create a policy that is documented and that can be followed

The policy boils down to a series of fairly simple security measures that any card processor or business handling payment card information should be able to easily follow. The goal of the requirements is to protect customer data and the requirements are meant to be adopted broadly.

Why do card companies care?

Payment card companies care a great deal about ensuring merchants are handling information securely - but why? Two main reasons. First, credit card companies are generally on the hook for covering fraudulent charges that are on their customers’ accounts. In fact, it’s become a staple of most credit cards and one of the many reasons it can sometimes be smarter for customers to use credit instead of debit. The second reason is that they want to keep their customers happy broadly and so should you!

What happens if I/my processor isn’t compliant?

Like we said in the intro, there is no legal requirement for your business to be PCI compliant. Neither any federal or state law nor any regulation requires compliance. It is, however, mandated if you’re planning to accept credit cards at your business. So what can happen if you’re not PCI compliant? Well, first of all, payment card companies can turn off the spigot. That’s right, they won’t allow you to process payments anymore. If that isn’t bad enough, non-compliance fees start out at $5,000 per incident and go right on up the chain to $20,000. Small businesses won’t survive all that long paying fines like that. 

How do I get PCI compliant?

Generally, your merchant account provider will offer PCI compliance services. There is likely a fee for this service but it can take some of the headache out of managing things yourself. Additionally, you can hire consultants to assist you with PCI compliance. You can also do it yourself, at no cost. All you have to do for PCI compliance is complete and file a self-assessment questionnaire each year along with records of the scans that are required of your payment network. There may be some additional paperwork required but it should all be relatively straightforward for businesses to complete. 

You’ll then sign an attestation form that you agree to remain compliant and that’s it! You’ll get a nice certificate. For most small businesses, this is sufficient and as long as you continue meeting requirements, you won’t have any issues. If you’re a larger business and fall into a higher “compliance level,” you may have to submit your network to security scans by an approved vendor.

What are the Levels of PCI Compliance?

Compliance levels are based on the number of transactions you process in a given year.

• PCI Level 1: Businesses processing over 6 million transactions per year
• PCI Level 2: Businesses processing 1 million to 6 million transactions per year
• PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
• PCI Level 4: Businesses processing less than 20,000 transactions per year

If you’re a small business or perhaps doing some sales on the side, you can see that you likely fall into Level 4. Many medium sized businesses, restaurants, bars and other businesses you may find around town, likely fall into PCI Level 2 or 3. Level 1 is usually reserved for very large companies. 

A few considerations

There are a few things to keep in mind when you’re determining your compliance level, getting PCI compliant and holding on to that designation.

Don’t guess

Your payment processor should have fairly robust reporting tools that allow you to see how many transactions you’ve processed. Get a firm understanding of this number and ensure you apply appropriately. Being too low can result in fines. Being too high means you’re paying for things you don’t need to.

Keep it front of mind

Security of your customers’ information should always be right on the top of your mind. It’s good business and bad data privacy policies can lead to some very expensive lawsuits.

Get help

PCI compliance can be confusing. Determining your level, understanding what you actually need to do - and most importantly, what you don’t - and keeping those programs running can be time consuming and expensive if you do things wrong.

Swipesum can help. Our proprietary software helps analyze your transactions to determine where fees might be bogging your business down. Our consulting services are designed to help you maximize your time running your business, not filling out paperwork.

Swipesum provides information on PCI in account approval emails, during onboarding, and after onboarding. We provide links and information for video tutorials that lead you through the questionnaires to get compliant.