The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines payment processors and businesses that accept credit cards need to follow. The guidelines are created by the PCI Security Standards Council which is independent of, but commissioned by, the major credit card companies like Visa. It’s meant to govern PCI compliance to keep consumer information safe from data breaches.
What Is PCI Compliance?
PCI compliance refers to adherence to the guidelines created by the PCI DSS. The PCI DSS was founded in 2006 to help protect sensitive consumer data, including credit card numbers and personal information. Major credit card companies—Visa, MasterCard, American Express, Discover, and JCB—are equally concerned about data breaches as consumers.
In 2014, one report found that PCI compliance was on the rise, seeing significant jumps since 2011. However, compliance has since declined. Per the Verizon 2020 Payment Security Report, just over a quarter of businesses are fully PCI compliant, a nearly 9% drop from the year prior, and 27.5% less than in 2016.
Anyone involved in processing payments—meaning merchants, service providers, payment processors, and payment gateways—all need to adhere to PCI DSS guidelines. Unfortunately, small and medium-sized businesses are more vulnerable to data breaches than larger, established corporations.
There are 12 PCI DSS requirements all merchants must adhere to, which can be broken down into six main goals.
The six main goals of any business that needs to maintain PCI compliance:
- Maintain a secure physical network
- Guard customer data
- Maintain a secure internal network
- Limit data access to need-to-know
- Monitor and test data security systems
- Educate staff on PCI compliance
To do those things, you’ll need firewalls for physical security, data security, upgraded technology (including a secure POS system), and the latest antivirus software.
What Happens If Your Business Is Not PCI Compliant?
You could face non-compliance fees around $19.95 per month, or if your business is involved in a data breach and you’re not PCI-compliant, you could be subject to fines from $5,000 to $100,000 per month by the acquiring bank to recoup associated losses (fraudulent charges, reissue of cards, legal costs, etc.)
Plus, should you face a data breach, you might ruin customer trust. More than 83% of respondents to one survey feel secure shopping on mobile during the holidays, and it’s up to businesses to take that responsibility seriously.
The 4 PCI Compliance Levels
PCI compliance has different levels for businesses of different sizes, each with its own set of specific requirements and guidelines. Many times, your merchant service provider or payment processor will provide some level of PCI compliance, but there are still steps you must take as the merchant, first determining which level is applicable to you and what you have to do to abide by it.
|Level 1||Businesses processing 6 million+ annual Visa transactions|
|Level 2||Businesses processing 1 to 6 million annual Visa transactions|
Businesses processing 20,000 to 1 million annual Visa ecommerce transactions
Businesses processing <20,000 annual Visa ecommerce transactions; businesses processing up to 1 million annual Visa transactions (non-ecommerce)
PCI Compliance Self-Assessment Questionnaire
All small- to medium-sized merchants (Level 4) accepting major credit cards must complete a self-assessment questionnaire (SAQ) for part of the PCI compliance requirements. You can access the chart at the official PCI DSS website and determine which one applies to you.
For example, if you run an online business, and you use Shopify as your payment gateway and processor, you would fill out the SAQ-A.
A brick-and-mortar business that uses a POS system and terminal, such as Lightspeed, would need to use the SAQ-C document.
For manual entry with a virtual terminal such as when you accept phone orders or invoices online you are required to complete SAQ-C-VT.
The Importance of PCI Compliance
Not only is every business susceptible to data breaches, but consumers are increasingly aware of the steps merchants can take to protect their information. And this is influencing their purchase decisions.
One survey found that 61% of consumers have increased awareness about data privacy in the past year, 42% think companies should disclose PCI compliance and data security practices with customers, and 39% would opt for a competitor when businesses don’t respect their data privacy settings. Even worse, nearly 70% would avoid a company altogether after a data breach.
Only 25% of consumers think companies are responsible for their data management. And they’re prudent to feel that way. Many companies, particularly small businesses, have serious challenges when it comes to data security.
Plus, many businesses aren’t even sure if they’re maintaining PCI compliance. A cybercriminal can exploit known vulnerabilities in websites, firewalls, and insecure remote access to acquire valuable credit card data. Consider famous data breaches such as Equifax, when more than 182,000 credit card numbers were exposed. That sort of breach is damaging for credit card companies, banks, and small merchants.
If you use the cloud, you’re also more vulnerable. According to Verizon’s 2020 Payment Security Report, more than 20% of attacks are against web apps and involve stolen credentials.
How Much Does it Cost to Be PCI Compliant?
To ensure your business maintains PCI compliance, you may be subject to various fees. These could be monthly or annual fees, and their costs range from $10 per month to hundreds of dollars per year. It depends on the service, the type of payment processor you choose, and how you plan to handle AoC (Attestation of Compliance) and vulnerability scans.
Typically, payment processors like Square and Shopify won’t charge a separate fee for PCI compliance. Rather, they roll the cost of compliance into your monthly fee or transaction fees. A traditional merchant account may come with an added compliance fee, or it’s rolled into a statement fee. Chase Merchant Services doesn’t charge anything for PCI compliance in its pay-as-you-go plan.
Where you can expect to pay PCI compliance fees are when you need a vulnerability scan, or you want to hire a QSA:
- ASV scans: Quarterly vulnerability scans of your business environment, such as for firewalls, internet, and so on, are typically charged annually, and the average range is from $200 to $1,000
- QSA service: Merchants with multiple locations might want to hire a QSA for PCI compliance; the fees start at $10,000 and vary based on the number of locations and complexity of networks
Charging fees for PCI compliance is common, as these fees go toward keeping data servers updated, maintained, and all data security firmly in place. Your payment processor, payment gateway, or services provider is in charge of data transmission and storage, so it’s an important and necessary fee however it’s charged.
PCI compliance is a set of standards, not actual laws, so it’s regulated by the credit card companies. So, what’s the worst-case scenario if you remain non-compliant? Here are some possibilities:
- PCI non-compliance fee: You’ll pay $19.95 (or more) per month until you prove your business is PCI-compliant (although it appears to come from your payment processor, it’s from the credit card companies, but some processors may charge more—be sure to fill out your SAQ and submit your paperwork to avoid this fee)
- PCI non-compliance fine: A security breach occurs, and consumer data is leaked; your records show noncompliance; you’ll pay $5,000 to $100,000 per month of noncompliance
- PCI non-compliance and revocation: Your acquiring bank revokes your ability to accept credit cards, which could be the end of your business
Note that the average financial loss of cybercrime for an organization increased from $1.4 million in 2018 to $13.0 million a year later. While PCI compliance might come with fees, data breaches are far more costly.
It’s important to take PCI compliance seriously and into your own hands. Don’t assume that just because your payment processor is compliant, you’re off the hook. Follow the guidelines and be sure to check the official website for any changes. The PCI compliance requirements evolve as data security does.
6 Steps to Make Your Business PCI Compliant
Check Out Your Payment Technology
While cloud users might be more susceptible, the advantages of running your business using the cloud far outweigh those risks, especially since there are steps you can take to safeguard data. According to Verizon’s 2020 Payment Security Report, more than 20% of cyber-attacks are against web apps.
You’ll want to choose a PCI-compliant payment gateway for starters. When looking at the tools and systems you use to run your small business, look for the ability to create dedicated user accounts and logins. Only the people who need access should be able to acquire consumer data, and you should be able to track who sees what. Two-factor authentication and point-to-point encryption (P2PE) are other good security features, especially considering 27% of cyber attacks are due to stolen credentials.
It’s also important to install all your vendor’s security patches and updates in a timely manner. Otherwise, you run the risk of vulnerability. Remember to check your settings, too. Nearly half of businesses never change their vendor’s default settings.
Create and Document Processes
Some 37% of businesses that have a formal process to value data involve their data privacy team consistently. Again, you might not have a full-fledged team, but the people responsible for ensuring PCI compliance and data protection should also create processes for the rest of the business to follow.
It’s important to communicate your new PCI compliance measures, why it’s important, and how the rest of your staff can contribute. Maintain a policy to ensure staff understands the importance of PCI compliance and what to do and not do with consumer data.
Create a security policy and a governance plan to map out how you’ll continue to maintain compliance. Remember to check for physical tampering with POS systems and card readers as part of your data security governance—it’s not all limited to software solutions.
Complete Your Attestation of Compliance
The Attestation of Compliance (AoC) is a document in which you if you’re self-auditing, or a qualified security assessor (QSA) declares your business’ level of compliance. The form should be completed, signed, and submitted along with the SAQ and the approved scanning vendor (ASV) scan results. Businesses are expected to submit an AoC annually.
The SAQ and AoC are where you’ll answer questions about PCI compliance requirements, which are as follows:
- Maintain firewall for business devices
- Change vendor-supplied passwords
- Encrypt transmissions of consumer data
- Use updated antivirus software
- Protect stored consumer data
- Restrict access to consumer data
- Maintain secure systems and apps
- Make cardholder data available only on a need-to-know basis
- Create a unique ID for every person with business computer access
- Monitor access to network and consumer data
- Test data security regularly
- Maintain a data security policy
When a merchant uses a third-party payment processor, most of these PCI compliance requirements are met. However, you still need to be aware of the regulations, and you must meet environmental PCI compliance, such as with firewalls, strong passwords, and restricting access to cardholder data.
Prove PCI Compliance With a Vulnerability Scan
Depending on how you accept credit cards, you may have to pay for and schedule regular vulnerability scans with an ASV. An ASV is a third-party company that will conduct quarterly vulnerability scans to validate your PCI compliance. The ASV will determine whether you’re doing everything possible to safeguard consumer credit card and contact information.
What Is an ASV Validating?
An external vulnerability scan is performed by an ASV to determine whether your network is secure and safe for consumers. An ASV can also perform internal scans to detect vulnerabilities, but many merchants choose to do it themselves with the appropriate SAQ.
The external scan looks for vulnerabilities in your network firewalls, while an internal one looks for holes in your business’ firewalls. Both are necessary, but the internal scan can be self-performed.
An ASV will give you either a pass or fail each quarter, which you’ll need to submit to the PCI DSS council. If you make any changes to your network, you’ll have to schedule a new scan as well. A fail can occur when you have minor changes take place. For example, your internet service provider (ISP) may change your public-facing IP number, and your ASV might be scanning your old one, which could result in “host not detected.”
Submit PCI Compliance Documentation
Gather all your documents, including a completed SAQ that’s right for your business type, proof of passing quarterly external scans from an ASV, and any other documents required. You’ll send these to the PCI DSS council either through an e-file option or through snail mail. Your other option is to hire a QSA, who can fill out documents, organize it, and submit everything for you.
Track and Test Your Systems
Data security and PCI compliance aren’t set-it-and-forget-it. It’s important to test your security measures often to ensure they’re working as intended. But only a little more than half of organizations successfully test their data security programs. And only two-thirds track and monitor systems adequately.
Bottom Line on PCI Compliance in 2021
Maintaining PCI compliance should be a priority for every merchant. The PCI compliance requirements are simple, and it isn’t nearly as costly as a data breach would be, especially if you’re non-compliant. Your payment processor or MSP should be PCI compliant itself, which is necessary for you to be compliant as well.