PCI compliance is meeting the 12 requirements outlined by the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council is an independent panel commissioned by major credit card companies like Visa. Any business that accepts credit cards must be PCI compliant to avoid fees, fines, and even liability in the case of a data breach.
Achieving PCI compliance is done by completing and submitting a self-assessment questionnaire and attestation of compliance provided by the PCI Security Standards Council annually, and completing internal and external vulnerability scans.
The 12 requirements of PCI DSS are:
- Maintain firewall for business devices
- Change vendor-supplied passwords
- Encrypt transmissions of consumer data
- Use updated antivirus software
- Protect stored consumer data
- Restrict access to consumer data
- Maintain secure systems and apps
- Make cardholder data available only on a need-to-know basis
- Create a unique ID for every person with business computer access
- Monitor access to network and consumer data
- Test data security regularly
- Maintain a data security policy
Who Needs to Be PCI Compliant?
Anyone involved in processing payments—meaning merchants, service providers, payment processors, and payment gateways—all need to adhere to PCI DSS guidelines. Unfortunately, small and medium-sized businesses (SMBs) are more vulnerable to data breaches than larger, established corporations because many SMBs don’t know how to protect themselves.
Those 12 PCI DSS requirements mentioned above can be broken down into six main goals that small businesses should follow to maintain PCI compliance:
- Maintain a secure physical network
- Guard customer data
- Maintain a secure internal network
- Limit data access to need-to-know
- Monitor and test data security systems
- Educate staff on PCI compliance
To do those things, you’ll need firewalls for physical security, data security, upgraded technology (including a secure POS system), and the latest antivirus software.
How to Get PCI Compliance for Your Small Business
To ensure PCI compliance, you’ll need to fill out the appropriate self-assessment questionnaire (SAQ) and attestation of compliance (AoC), along with a completed vulnerability scan each year. Here are the steps to PCI compliance broken down in detail:
1. Determine Which PCI Compliance Level You Belong To
There are different levels of PCI compliance for businesses of different sizes, each with its own set of specific requirements and guidelines. Many times, your merchant service provider or payment processor will provide some level of PCI compliance, but there are still steps you must take as the merchant. First, determine which level is applicable to you.
Businesses processing 6 million+ annual Visa transactions
Businesses processing 1 to 6 million annual Visa transactions
Businesses processing 20,000 to 1 million annual Visa ecommerce transactions
Businesses processing <20,000 annual Visa ecommerce transactions; businesses processing up to 1 million annual Visa transactions (non-ecommerce)
Most small brick-and-mortar businesses will fall under Level 4 PCI compliance. Small online businesses will most likely belong to Level 3. There are a few additional steps to achieving PCI compliance for online stores, so be sure you know what you need for ecommerce security.
2. Fill Out the PCI Compliance Self-Assessment Questionnaire
All small to medium-sized merchants (Level 4) accepting major credit cards must complete an SAQ for part of the PCI compliance requirements. You can access the chart at the official PCI DSS website and determine which one applies to you. For example:
- If you run an online business and use Shopify as your payment gateway and processor, you would fill out the SAQ-A.
- A brick-and-mortar business that uses a POS system and terminal, such as Lightspeed, would need to use the SAQ-C document.
- For manual entry with a virtual terminal, such as when you accept phone orders or invoices online, you are required to complete SAQ-C-VT.
3. Investigate Your Payment Technology
While cloud users might be more susceptible (more than 20% of cyber-attacks are against web apps, according to Verizon), the advantages of running your business using the cloud far outweigh those risks, especially since there are steps you can take to safeguard data.
You’ll want to choose a PCI-compliant payment gateway for starters. When looking at the tools and systems you use to run your small business, look for the ability to create dedicated user accounts and logins. Only the people who need access should be able to acquire consumer data, and you should be able to track who sees what. Two-factor authentication and point-to-point encryption (P2PE) are other good security features, especially, as the Verizon report notes, 27% of cyber-attacks are due to stolen credentials.
It’s also important to install all your vendor’s security patches and updates in a timely manner. Otherwise, you run the risk of vulnerability. Remember to check your settings too. Nearly half of businesses never change their vendor’s default settings.
4. Create and Document Security and Compliance Processes
Almost 60% of small business owners don’t believe they could be targeted by cyber criminals, and about 43% of SMBs have no cybersecurity plan in place. You might not have a full-fledged data privacy team to help with security, but whoever is responsible for ensuring PCI compliance should also create processes for the rest of the business to follow.
It’s important to communicate your new PCI compliance measures, why it’s important, and how the rest of your staff can contribute. Maintain a policy to ensure staff understands the importance of PCI compliance and what to do and not do with consumer data. (For example, entering customer payment information directly into the processor, instead of writing it down.)
Create a security policy and governance plan to map out how you’ll continue to maintain compliance. Remember to check for physical tampering with POS systems and card readers as part of your data security governance—it’s not all limited to software solutions.
5. Complete Your Attestation of Compliance
The AoC is a document you’ll use if you’re self-auditing, or a qualified security assessor (QSA) will use to declare your business’ level of compliance. The form should be completed, signed, and submitted along with the SAQ and the approved scanning vendor (ASV) scan results, which we discuss below. Businesses are expected to submit an AoC annually.
When a merchant uses a third-party payment processor, most of these PCI compliance requirements are met. However, you still need to be aware of the regulations, and you must meet environmental PCI compliance such as with firewalls, strong passwords, and restricting access to cardholder data.
6. Prove PCI Compliance With a Vulnerability Scan
Depending on how you accept credit cards, you may have to pay for regular vulnerability scans with an ASV, which is a third-party company that will conduct quarterly vulnerability scans to validate your PCI compliance. The ASV will determine whether you’re doing everything possible to safeguard consumer credit card and contact information.
What Is a Vulnerability Scan?
An external vulnerability scan is performed by an approved scanning vendor (ASV) to determine whether your network is secure and safe for consumers. An ASV can also perform internal scans to detect vulnerabilities, but many merchants choose to do it themselves with the appropriate self-assessment questionnaire (SAQ).
The external scan looks for vulnerabilities in your network firewalls, while an internal one looks for holes in your business’ firewalls. Both are necessary, but the internal scan can be self-performed.
An ASV will give you either a pass or fail each quarter, which you’ll need to submit to the PCI DSS council. If you make any changes to your network, you’ll have to schedule a new scan as failure can occur when minor changes take place. For example, your internet service provider (ISP) may change your public-facing IP number, and your ASV might be scanning your old one, which could result in “host not detected.”
7. Submit PCI Compliance Documentation
Gather all your documents, including a completed SAQ that’s right for your business type and proof of passing quarterly external scans from an ASV. You’ll send these to the PCI DSS council either through an e-file option or through snail mail.
8. Track and Test Your Systems
Data security and PCI compliance aren’t set-it-and-forget-it. It’s important to test your security measures often to ensure they’re working as intended. Only a little more than half of organizations successfully test their data security programs, and only two-thirds track and monitor system access adequately.
The Importance of PCI Compliance
Not only is every business susceptible to data breaches, but consumers are increasingly aware of the steps merchants can take to protect their information. And this is influencing their purchase decisions.
One survey found that 61% of consumers have increased awareness about data privacy in the past year, 42% think companies should disclose PCI compliance and data security practices with customers, and 39% would opt for a competitor when businesses don’t respect their data privacy settings. Even worse, nearly 70% would avoid a company altogether after a data breach.
In a recent study by PWC, 60% of consumers expect a data breach to occur with the businesses that have their data. And they’re prudent to feel that way. Many companies, particularly SMBs, have serious challenges when it comes to data security.
Plus, many businesses aren’t even sure if they’re maintaining PCI compliance. A cybercriminal can exploit known vulnerabilities in websites, firewalls, and insecure remote access to acquire valuable credit card data. Consider famous data breaches such as Equifax, when more than 182,000 credit card numbers were exposed. That sort of breach is damaging for credit card companies, banks, and small merchants.
Did you know?
It’s been a while since PCI compliance was on the rise. Although reports showed significant jumps in the first half of the 2010s, compliance has since declined. Per the Verizon 2020 Payment Security Report, just over a quarter of businesses are fully PCI compliant, a nearly 9% drop from the year prior and 27.5% less than in 2016.
PCI Compliance Costs
To ensure your business maintains PCI compliance, you may be subject to various fees. These could be monthly or annual fees, and their costs range from $10 per month to hundreds of dollars per year. It depends on the service, the type of payment processor you choose, and how you plan to handle AoC and vulnerability scans.
Typically, payment processors like Square and Shopify won’t charge a separate fee for PCI compliance. Rather, they roll the cost of compliance into your monthly or transaction fees. A traditional merchant account may come with an added compliance fee, or it’s rolled into a statement fee. Chase Merchant Services, for example, doesn’t charge anything for PCI compliance in its pay-as-you-go plan.
Where you can expect to pay PCI compliance fees are when you need a vulnerability scan or you want to hire a QSA:
- ASV scans: Quarterly vulnerability scans of your business environment such as for firewalls, internet, and so on, are typically charged annually; the average range is from $200 to $1,000.
- QSA service: Merchants with multiple locations might want to hire a QSA for PCI compliance; the fees start at $10,000 and vary based on the number of locations and complexity of networks.
Charging fees for PCI compliance is common, as these fees go toward keeping data servers updated and maintained and all data security firmly in place. Your payment processor, payment gateway, or service provider is in charge of data transmission and storage, so it’s an important and necessary fee however it’s charged.
PCI compliance is a set of standards, not actual laws, so it’s regulated by the credit card companies. So, what’s the worst-case scenario if you remain noncompliant? Here are some possibilities:
- PCI noncompliance fee: You’ll pay $19.95 (or more) per month until you prove your business is PCI-compliant (although it appears to come from your payment processor, it’s from the credit card companies, but some processors may charge more—be sure to fill out your SAQ and submit your paperwork to avoid this fee)
- PCI noncompliance fine: A security breach occurs, and consumer data is leaked; your records show noncompliance; you’ll pay $5,000 to $100,000 per month of noncompliance
- PCI noncompliance and revocation: Your acquiring bank revokes your ability to accept credit cards, which could be the end of your business
Note that the average financial loss of cybercrime for an organization increased from $1.4 million in 2018 to $13.0 million a year later. Globally, cybercrime in 2020 cost $945 billion, according to a recent security report.
Should you face a data breach, you might also ruin customer trust. Some three-fourths of online shoppers are more likely to buy from large retailers, according to a 2021 BrizFeel survey, because consumers believe the bigger businesses take security seriously. Consumers are very much aware of security issues and data breaches, with 79% of Americans worried about their data.
It’s important to take PCI compliance seriously and into your own hands. Don’t assume that just because your payment processor is compliant, you’re off the hook. Follow the guidelines and be sure to check the official website for any changes. The PCI compliance requirements evolve as data security does.