If you’re running a small business, your customers want you to take credit cards.
That means you have to keep their credit card and personal information safe. Following small business PCI compliance standards is the best way to protect your customer data and avoid any fees associated with PCI compliance violations.
This guide will walk you through the basics of PCI compliance so that you have a clear understanding of what it is, the importance of compliance, and the consequences of non-compliance.
What is PCI Compliance?
When you or any other small business takes a customer’s credit card, you receive a great deal of sensitive data. The payment card industry (PCI) sets security standards for any business that deals with credit card information so that your patrons’ sensitive data is protected. The major credit card brands, which include American Express, Discover, MasterCard, and Visa, established these standards, known as the Payment Card Industry Data Security Standards (PCI DSS), and continue to manage PCI compliance in accordance with these standards.
What PCI Levels and Requirements Apply to Your Business?
If you accept credit or debit cards, small business PCI compliance is a must regardless of the size of your business. You must comply with all applicable standards even if you only process one credit card transaction per year. If your business has multiple locations with separate tax ID numbers, you’ll need to validate PCI compliance at each individual location. If all of your locations operate under one tax ID, typically you are only required to validate PCI compliance annually for all locations. When applicable, you may also need to pass network scans for each location on a quarterly basis.
For merchants, determining the level of PCI compliance required can be tricky and often depends on how many payment card transactions you handle each year, as well as the credit issuer. For example: If you process more than 6 million Visa transactions each year, you’re considered a Level 1 merchant, and you must undergo a full PCI compliance audit annually. Merchants at Levels 2 and 3, processing 1 million to 6 million Visa transactions and 20,000 to 1 million Visa transactions a year, respectively, must complete an annual PCI self-assessment and are also subject to network security scans each quarter.
As a small business at Level 4, processing up to 1 million total Visa transactions in a storefront, or less than 20,000 ecommerce transactions annually, you must complete a Self-Assessment Questionnaire (“SAQ”) and an Attestation of Compliance (“AOC”) form annually, as well as conduct a quarterly network scan by an approved scan vendor (“ASV”), if applicable.
To stay up to date on PCI compliance information for individual credit issuers, click on the appropriate payment card brand below:
The requirements you must meet for small business PCI compliance include the following:
- You must use credit card terminals and PIN pads that are up to date and compliant with PCI DSS.
- You must not store any cardholder data in any way. This includes everything from storing it on a computer to jotting down a credit card number on a scrap of paper. If your credit card terminal and PIN pad are PCI-compliant, they are programmed to make sure you remain compliant with this requirement automatically.
- You must use strong passwords. To do this, you should change any default passwords immediately and require your staff to change passwords on a regular basis. Consider using a password generator like 1Password to create strong passwords.
- You must train your employees about small business PCI compliance.
- Your point of sale (POS) and payment gateway software must be PCI-compliant and validated.
- Your wireless router must be encrypted and password protected.
- You must check your PIN pads and any other PIN entry devices to make sure that skimmers haven’t been installed. Skimmers are devices that criminals attach to PIN pads to capture credit card information when a card is swiped or entered, and they can take many forms. Also, check your computers for any rogue software or executable files.
- You must install firewalls on your computers and your internal network. Your computer’s operating system probably already has a firewall as part of its security software, but check to make sure it’s operating properly.
The Self-Assessment Questionnaire (SAQ) is a PCI Standard validation tool to assist merchants and merchant services providers in demonstrating their compliance with industry standards. According to the PCI Data Security Standard Guidelines, there are five Standard SAQ validation categories that apply. Because individual merchants are ultimately liable for fines and assessments, you should always refer to these validation categories to select the SAQ and Attestation that best applies to their business.
What Does It Cost to Be PCI-Compliant?
The cost associated with PCI compliance varies according to the merchant classification Level. For Level 4 merchants, PCI compliance costs can be as low as $10 dollars a month, but vary greatly depending on a variety of factors including business type, software, hardware, vulnerability scanning, and SAQ.
These PCI compliance costs, however, are minimal when compared to the costs of non-compliance fines, which payment brands can adjust at their discretion, ranging from $5,000 to $50,000 in fines. Establishing a PCI compliance plan and updating it regularly can help prevent data breaches, keep your costs down, and maintain your customers’ trust and loyalty.