PCI Compliance: why you need it and how to do it right
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard mandated by card brands. It’s applicable to any organizations that accept, process, store, or transmit credit card information.
Okay, but what is PCI Compliance, actually?
Basically, it’s a bunch of requirements —12 to be exact — that any business processing credit card payments is expected to follow. Why? To protect the business and its customers from scammers who try to steal credit card information.
These requirements range from establishing data security policies for your business to removing card data from your processing system and payment terminals, but we’ll get more into the specific requirements later.
How do you become PCI Compliant?
There are four different levels of compliance; the level your business must meet is determined by transactions over a 12-month period.
Level 1: Merchants processing over 6 million card transactions per year.
Level 2: Merchants processing 1 to 6 million transactions per year.
Level 3: Merchants handling 20,000 to 1 million transactions per year.
Level 4: Merchants handling fewer than 20,000 transactions per year.
To meet Level 1 PCI compliance, you must have a yearly on-site review by an internal auditor and a vulnerability scan (a network scan on your IP address to make sure it’s secure). To meet PCI compliance levels 2,3, and 4, you must complete a PCI Self Assessment Questionnaire and pass a vulnerability scan.
What does this mean? For most of us who fall into the small to medium-sized business levels, getting PCI compliant is as simple as completing a yearly questionnaire and scan. Well, almost…The questionnaire simply verifies that your business is PCI compliant, but in order to pass the questionnaire, your business needs to follow the 12 requirements designed to help protect cardholder data.
What are the 12 PCI Requirements? And should I be scared?
12 requirements might sound intimidating, but in reality, the majority are common sense and ultimately beneficial for your business. Plus, being the diligent and responsible business owner that you are, there’s a good chance you already do most of them!
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security
- Protect stored cardholder data
- Encrypt transmission of cardholder data across all open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors
What are the benefits of being PCI compliant?
Imagine your wireless network gets hacked or an employee steals customer credit card information. If you’re PCI compliant, your business gets up to $100,000 in data breach protection, but if you’re not, all those litigation costs and fines associated with the incident can quickly drain your business’ funds.
Now, think about your favourite store. Would you still shop there if you knew your payment information wasn’t secure? Sure, you might spend a minute or two weighing out whether being a victim of credit card fraud is a fair price to pay for that artisan, vanilla brioche doughnut, but in the end, you’d probably find a different establishment to satisfy your pastry cravings. In fact, a 12 country survey conducted by Visa found that consumers ranked security of financial information as their number one concern.
So to sum up, if you don’t want to lose a ton of money and if you do want to retain customers, PCI compliance is a small fee to pay.
Hold-up, there’s a fee for being PCI compliant?
The short answer is: sometimes and kinda. Most processors provide support and fraud prevention tools to help their merchants maintain PCI compliance in exchange for a fee. Some processors charge PCI compliance fees that can range from $10 to $20 per month, while other processors don’t charge anything because the cost of providing PCI is already accounted for in your monthly account or processing fee.
What happens if you’re not compliant?
Aside from the data breaches we discussed above, PCI non-compliance also comes bundled with the potential for $5,000 to $100,000 fines, contract terminations from your acquiring bank, monthly fees from your processor, legal costs, audits, fraud losses, going out of business, and — you get the idea.
I finally understand(ish) PCI compliance, now what?
When choosing a payment processor, it’s a good idea to research what services and products they offer for PCI compliance. In addition to choosing a reliable processor (ahem...Paystone), having up-to-date anti-virus software, changing system passwords monthly, and using a secure platform to store customer billing information will make PCI compliance simple...maybe even fun. Okay, probably just simple.