The Payment Card Industry Data Security Standard (PCI DSS) is a group of guidelines for businesses that accept credit cards. The council that creates the standards is independent of, but commissioned by, the major credit cards companies like Visa. It’s meant to govern PCI compliance to keep consumer info safe from data breaches.
Merchant services providers, such as Chase Merchant Services, must maintain PCI compliance for itself and all its merchant accounts. Unsure of your own PCI compliance? Chase meets PCI requirements to be a Level 1 provider, and it offers tools to help its merchant account holders ensure they’re protecting sensitive data too. Apply for an account today.
What Is PCI Compliance?
The PCI DSS was founded in 2006 to help protect sensitive consumer data, including credit card numbers and personally identifiable information. The major credit card companies — Visa, MasterCard, American Express, Discover, and JCB — are just as concerned about data breaches as consumers.
A set of guidelines can keep merchant services providers (MSPs), payment processors, payment gateways, and merchants, all on the same data security page. What this means is that anyone involved in credit card payments is required to adhere to a strict set of rules, including:
- Merchants
- Service providers
- Payment applications
- Payment gateways
- Payment processors
There are varying levels for each business, and each level is tied to how much money you process annually in credit card sales. If you want to see if you’re doing everything necessary, look at this PCI compliance checklist.
How PCI Compliance Works
As a merchant, you must adhere to 12 PCI DSS requirements, which can be broken down into six main goals. If you miss one, you could be fined by the PCI DSS, which can get expensive.
The six main goals of any business that needs to maintain PCI compliance:
- Maintain secure physical network
- Guard customer data
- Maintain secure internal network
- Limit data access to need-to-know
- Monitor & test data security systems
- Educate staff on PCI compliance
To do those things, you must use firewalls for physical security; protect data through the use of encryption or literal lock and key; ensure software and apps are secure; and update antivirus software.
Only those who need access should be able to acquire consumer data, and you should be able to track who sees what; test your security measures often to ensure they’re working as intended and maintain a policy in your establishment to ensure staff understands the importance of PCI compliance and what to do and not do with consumer data.
Who Needs to Be PCI-compliant
As mentioned above, literally any entity that accepts credit cards must be PCI-compliant. That means everyone from financial institutions to Etsy shops. While these aren’t laws, they are regulations set by the credit card companies. To continue accepting credit cards for your business, you must comply.
To break down PCI compliance a bit further, here’s a list explaining who needs to follow different guidelines:
- Merchants: Any organization that accepts one or more of the five major credit cards that formed the PCI DSS council
- Merchant service providers: Businesses that transmit, process, or store credit card information for other merchants
- Payment application: Devices or online shopping carts that transmit, process, or store credit card information like credit card readers, ecommerce carts, or point-of-sale systems
- Payment gateway: The middleman for merchants and banks; these companies transmit data between a business running a credit card with a bank that either approves or denies a request for payment
- Payment processor: These all-in-one businesses typically provide the merchant account, payment application, and payment gateway for merchants
As a small business owner, you likely fall under the merchant description. If you’re starting a payment processing company or services provider, then you qualify as both a merchant and the aforementioned service provider business. Figuring out the level to which you belong can seem complicated, but there’s a chart below that can help.
PCI Compliance Requirements
Many small business owners may not even know that they have to complete certain actions to be PCI-compliant. Your merchant service provider or payment processor provides you some PCI compliance, but there are still steps you must take.
You must determine to which PCI compliance level your business belongs.
PCI Levels
| Level 1 | Businesses processing 6 million+ annual Visa transactions |
| Level 2 | Businesses processing 1 to 6 million annual Visa transactions |
| Level 3 | Businesses processing 20K to 1 million annual Visa ecommerce transactions |
| Level 4 | Businesses processing <20K annual Visa ecommerce transactions; businesses processing up to 1 million annual Visa transactions (non-ecommerce) |
PCI Compliance Self-assessment Questionnaire
All small- to medium-sized merchants (Level 4) accepting major credit cards must complete a self-assessment questionnaire (SAQ) for part of the PCI compliance requirements. You’ll have to refer to the chart to figure out which SAQ you must complete.
You can also access the chart at the official PCI DSS website.
For example, if you run an online business, and you use Shopify as your payment gateway and processor, you would fill out the SAQ-A. A brick-and-mortar business that uses a POS system and terminal, such as with Lightspeed, would need to use the SAQ-C document. For manual entry with a virtual terminal, such as when you accept phone orders or invoices online, you are required to complete SAQ-C-VT.
This is just one of 13 pages you must fill out of the SAQ-A.
Attestation of Compliance
The Attestation of Compliance (AoC) is a document in which you, if you’re self-auditing, or a qualified security assessor (QSA) declares your business’ level of compliance. The form should be completed, signed, and submitted along with the SAQ and the approved scanning vendor (ASV) scan results. Businesses are expected to submit an AoC annually.
The SAQ and AoC are where you’ll answer questions about PCI compliance requirements, which are as follows:
- Maintain firewall for business devices
- Change vendor-supplied passwords
- Encrypt transmissions of consumer data
- Use updated antivirus software
- Protect stored consumer data
- Restrict access to consumer data
- Maintain secure systems and apps
- Make cardholder data available only on a need-to-know basis
- Create unique ID for every person with business computer access
- Monitor access to network and consumer data
- Test data security regularly
- Maintain data security policy
When a merchant uses a third-party payment processor, most of these PCI compliance requirements are met. However, you still need to be aware of the regulations, and you must meet environmental PCI compliance, such as with firewalls, strong passwords, and restricting access to cardholder data.
Proving PCI Compliance With Vulnerability Scan
Depending on how you accept credit cards, you may have to pay for and schedule regular vulnerability scans with an ASV. An ASV is a third-party company that will conduct quarterly vulnerability scans to validate your PCI compliance. The ASV will determine whether you’re doing everything possible to safeguard consumer credit card and contact information.
What Is an ASV Validating?
An external vulnerability scan is performed by an ASV to determine whether your network is secure and safe for consumers. An ASV can also perform internal scans to detect vulnerabilities, but many merchants choose to do it themselves with the appropriate SAQ.
The external scan looks for vulnerabilities in your network firewalls, while an internal one looks for holes in your business’ firewalls. Both are necessary, but the internal scan can be self-performed.
An ASV will give you either a pass or fail each quarter, which you’ll need to submit to the PCI DSS council. If you make any changes to your network, you’ll have to schedule a new scan as well. A fail can occur when you have minor changes take place. For example, your internet service provider (ISP) may change your public-facing IP number, and your ASV might be scanning your old one, which could result in “host not detected.”
PCI Compliance Final Step: Submit Documentation
Gather all your documents, including a completed SAQ that’s right for your business type, proof of passing quarterly external scans from an ASV, and any other documents required. You’ll send these to the PCI DSS council either through an e-file option or through snail mail. Your other option is to hire a QSA, who can fill out documents, organize it, and submit everything for you.
PCI Compliance Services & Fees
To ensure your business maintains PCI compliance, you may be subject to various fees. These could be monthly or annual fees, and their costs range from $10 per month to hundreds of dollars per year. It depends on the service, the type of payment processor you choose, and how you plan to handle AoC and vulnerability scans.
Typically, payment processors like Square and Shopify won’t charge a separate fee for PCI compliance. Rather, they roll the cost of compliance into your monthly fee or transaction fees. A traditional merchant account may come with an added compliance fee, or it’s rolled into a statement fee. Chase Merchant Services doesn’t charge anything for PCI compliance in its pay-as-you-go plan.
Where you can expect to pay PCI compliance fees are when you need a vulnerability scan, or you want to hire a QSA:
- ASV scans: Quarterly vulnerability scans of your business environment, such as for firewalls, internet, and so on, are typically charged annually, and the average range is from $200 to $1,000
- QSA service: Merchants with multiple locations might want to hire a QSA for PCI compliance; the fees start at $10,000 and vary based on number of locations and complexity of networks
Charging fees for PCI compliance is common, as these fees go toward keeping data servers updated, maintained, and all data security firmly in place. Your payment processor, payment gateway, or services provider is in charge of data transmission and storage, so it’s an important and necessary fee however it’s charged.
PCI Noncompliance Fees
Another fee to consider that could show up on your merchant statement is a PCI noncompliance fee, although it appears to come from your payment processor, it is from the credit card companies, but some processor may charge more than the standard $19.95 per month that you are noncompliant. So, be sure to fill out your SAQ and submit your paperwork to avoid this fee.
What if I Don’t Maintain PCI Compliance?
Many businesses aren’t sure if they’re maintaining PCI compliance, and the problem with that is a cybercriminal can exploit known vulnerabilities in websites, firewalls, and insecure remote access, to acquire valuable credit card data. Consider recent data breaches, such as Equifax, when more than 182,000 credit card numbers were exposed. That sort of breach is damaging for credit card companies, banks, and small merchants.
Although PCI compliance is not a set of laws, rather a set of standards, it is regulated by the credit card companies. So, what’s the worst-case scenario if you remain noncompliant?
Here are the different scenarios:
- PCI noncompliance fee: You’ll pay $19.95 (or more) per month until you prove your business is PCI-compliant
- PCI noncompliance fine: A security breach occurs, and consumer data is leaked; your records show noncompliance; you’ll pay $5,000 to $100,000 per month of noncompliance
- PCI noncompliance & revocation: Your acquiring bank revokes your ability to accept credit cards, which could be the end of your business
You should take PCI compliance seriously, and do not assume that just because your payment processor is compliant, you’re off the hook. Follow the guidelines and be sure to check the official website for any changes. The PCI compliance requirements evolve as data security does.
PCI Compliance: Frequently Asked Questions (FAQs)
One of the most common questions merchants have about PCI compliance is, “What is required?” There are related questions, as well, which we’ll answer below. If we didn’t cover your question about PCI compliance here, visit our forum to ask it, and we’ll do our best to answer it there.
What Is PCI Compliance?
It is a set of standards created by the five major credit cards in the industry. It is meant to help protect merchants, service providers, and consumers from costly data breaches.
What Happens If I’m Not PCI-compliant?
You could face noncompliance fees around $19.95 per month, or if your business is involved in a data breach and you’re not PCI-compliant, you could be subject to fines from $5,000 to $100,000 per month by the acquiring bank to recoup associated losses (fraudulent charges, reissue of cards, legal costs, etc.).
Is PCI Compliance Required By Law?
The PCI DSS council created a set of regulations. Though it isn’t required by law, it is required by Visa, MasterCard, American Express, Discover, and JCB. Otherwise, you will not be allowed to accept those credit cards in your store or on your website.
If I Use Square, Do I Still Have to Validate PCI Compliance?
The answer is both no and yes. As long as you’re only using Square hardware and a mobile connection, then Square doesn’t require you to validate individually as Square is PCI-compliant. However, if you are using Wi-Fi at your store to connect and transmit data, you’ll still need to complete an SAQ, as your internal network would be at risk.
Who Enforces PCI Compliance?
The acquiring banks, or credit card brands, are those that govern PCI compliance.
What Does It Cost to Be PCI-compliant?
The range is wide, as it depends on what level of merchant you are. A Level 1 merchant will need to hire a QSA, which could cost around $10,000 to $15,000. Level 4 merchants are likely to find ASVs that will charge $200 to $1,000 annually to perform external vulnerability scans. You may also need to pay $10 to $20 monthly to your MSP for ongoing PCI compliance.
Bottom Line
Maintaining PCI compliance should be at the top of any merchant’s to-do list. The PCI compliance requirements are simple, and it isn’t nearly as costly as a data breach would be, especially if you’re noncompliant. Your payment processor or MSP should be PCI compliant itself, which is necessary for you to be compliant as well.
There are no extra PCI compliance costs when you sign up with Fattmerchant. The services provider maintains its own PCI compliance, and it helps you to become PCI-compliant, too. If you have any questions about maintaining a secure business environment, you can ask a Fattmerchant account manager. Apply for an account today.
Submit Your Comment
Disclaimer: Reviews on FitSmallBusiness.com are the product of independent research by our writers, researchers, and editorial team. User reviews and comments are contributions from independent users not affiliated with FitSmallBusiness.com's editorial team. Banks, issuers, credit card companies, and other product & service providers are not responsible for any content posted on FitSmallBusiness.com. As such, they do not endorse or guarantee any posted comments or reviews.
You must be logged in to comment. Click a "Log in" button below to connect instantly and comment.