PCI Compliance Meaning and What You Need to Know
Do you want to learn more about PCI compliance?
To start, even as a small retail business owner, you should accept credit card payments because your customers will appreciate convenient payment options.
However, doing this will require PCI compliance standards to best protect your customer data. This compliance standard will keep any security issues to a minimum and avoid having to pay fines when worse situations happen.
Here are some things that have to be done for your retail business to accept credit cards- following PCI compliance standards.
PCI compliance is a security standard within the payment processing industry.
What Is PCI compliance?
PCI means Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that both the consumer and the merchant are protected in the process. These are in place, first and foremost, to keep credit card information secure. When you take a customer’s credit card, they are trusting that their information will be safe.
The PCI SSC was founded by major card brands to develop and manage security features in the payment industry. To protect credit card data, this regulating body has set the minimum requirements for what needs to be done, which are:
- Policies and procedures
- Software devices
- Network architecture
- Security management
- Other critical protective measures
Who Needs to be PCI Compliant?
Any merchant (regardless of the size of business) that accepts credit cards as a payment option must comply with the PCI DSS standards.
In fact, you must comply with PCI standards whether you accept credit or debit cards, and even in single transactions.
When a business has various locations with separate tax ID numbers, it needs to validate PCI compliance at each location. If all locations operate under one tax ID number, usually you are only required to annually validate one PCI compliance for all locations.
Which PCI Level Applies to Your Business?
When it comes to PCI compliance, merchants are often unsure of the level they need and how much work is required. To make it easier to determine the level, merchants can refer to the credit issuer and the transaction volume per year.
- Any merchant that handles more than 6 million Visa or MasterCard transactions in a year, no matter the kind of channel;
- A previously hacked merchant whose data’s been compromised;
- Any merchant who has been rated level 1 by the card brand
- Any merchant that processes 1 to 6 million Visa or MasterCard transactions a year.
- Any merchant that processes 20 thousand to 1 million Visa or MasterCard eCommerce transactions
- Any merchant regardless of the acceptance channel (card present, card not present, etc.)
If your business falls into any of these four categories, we recommend that you contact the PCI council to make sure you are compliant.
What Are PCI Requirements?
The following are the requirements to become PCI compliant.
The point of sale should be up-to-date.
- Make sure that your credit card terminals and PIN pads are compliant with the PCI Data Security Standard.
- To protect the security of your customers’ information, you must have POS and payment gateway software that is PCI-compliant and validated.
- The wireless router that you use must be password protected and encrypted.
- Check your PIN pads and other PIN entry devices and make sure that skimmers have not been installed Criminals attach skimmers to PIN pads to capture information when a credit card is swiped.
No means/access of cardholder data storage.
- You must not store cardholder data (jotting down credit card numbers on paper or storing it on a computer).
- PCI-compliant credit card terminals and PIN pads are programmed to comply with this requirement.
Strong passwords should be used.
Changing passwords is a good way to prevent identity theft. The best thing you can do as an employer is to change default passwords and require staff to change passwords regularly. To create strong passwords, consider using a password generator.
Employees should be trained about PCI compliance.
There are videos and online courses that can help achieve this.
Firewalls on internal networks and computers must be installed.
To be safe, you should check to make sure your computer’s operating system firewall is up and running.
Why Does PCI DSS Matter?
Since credit card fraud is a real problem. The PCI standards are designed to help protect everyone from this issue.
When a theft or breach of cardholder data occurs, your customers will lose trust in you as well as the merchants they do business with. This could have negative financial impacts on both parties.
What Will Happen If Your Business Is Not PCI Compliant?
If your company is not in compliance with the PCI DSS, you will be charged penalties and fees. Non-compliance penalties, which are at the discretion of the payment brands to decide on, can range from $10,000-$50,000 in fines. Aside from the fees, you may also lose the right to process credit card transactions.
Merchants may be subject to the following in the event of a hack or breach:
- Fines from card associations
- Issuing banks might recoup the reissuing costs from the merchant (e.g., fraud loss and fraud monitoring expenses)
- Forensic investigation
- Damage to your brand and reputation
- Government fines
It also helps maintain customer trust and loyalty.
How to Meet PCI Standards
Knowing the PCI compliance meaning is not enough, you should comply. To comply with PCI standards, each merchant has to go through a set of steps.
Merchants that need to comply with levels 2, 3, and 4 security requirements can fill out a yearly Self Assessment Questionnaire (SAQ). When applicable, network vulnerability scans can be conducted quarterly by an approved scanning vendor.
Level 1 merchants, meanwhile, need to undergo a more rigorous compliance validation. So, always have your validation documentation in order.
The steps to follow depend on the merchant’s classification and risk level (which is determined by individual payment card brands or your PCI level). Here they are:
- PCI DSS scoping: Determine which networks and system components are in scope for PCI DSS.
- Assessment: Examine compliance of the system components in scope after testing procedures for PCI DSS requirements.
- Reporting: The entity or assessor submits the required documentation, like the SAQ or Report on Compliance (ROC).
- Clarifications: The entity or assessor clarifies or updates the report statements (if applicable) upon the request of the bank or payment card brand.