Running a business is all about the details. Small mistakes can spiral into big issues, and being proactive is your best bet for growth.
PCI Compliance is one of those to-dos that can fly under the radar, but the consequences of a breach are devastating. It’s your responsibility as an owner or manager to stay on top of PCI compliance and protect your customer’s data when processing transactions.
And PCI doesn’t go away the more you grow, it actually gets more complex and important.
We’re going to cover the meaning of PCI Compliance, why it’s important, and what you can do to stay compliant.
What is PCI Compliance?
PCI Compliance is a set of rules and guidelines designed to protect cardholders that businesses need to follow in order to support credit card transactions.
PCI Compliance official meaning
PCI stands for Payment Card Industry, and here’s the official definition released by the council.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
The history of PCI Compliance dates back to the 1990s when internet transactions and breaches first began. Cardmember companies recognized a growing problem and needed a way to formalize cardmember security.
The PCI Security Standards Council Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc., and they each share in its governance and help guide the council’s work.
While the council is responsible for releasing and updating the general guidelines and questionnaires, it’s the cardmember associations’ responsibility to enforce these guidelines among sellers accepting payment cards.
PCI Compliance is the act of staying true to the guidelines set out by the credit card companies. They involve rules about storing transaction data, keeping secure systems, installing firewalls, etc.
In order to transact with these cardmember associations, your business must conduct annual assessments and submit them to the council/cardmember associations for review.
Depending on your business, you may need or choose to hire on-site certified assessors or remote security assessments via third-party companies.
Who needs to be PCI Compliant?
All businesses, essentially. If you want to support credit card transactions, then you’ll need to prove your compliance.
The importance of PCI Compliance
Keeping your cardholder data secure is important for your entire business, regardless of how many stores you have or locations you operate it. A breach is damning for many reasons:
- You’ll lose customers.
- You’ll have to pay tons of fines, often enough to cripple your business.
- You’ll be paying a fortune in legal fees.
Again, this isn’t a choice. It’s not just economically and ethically sound, you cannot take credit cards without being PCI compliant.
And even if it weren’t mandatory, the potential injuries of a breach are deep.
Why you should take PCI Compliance seriously
Breaches are not to be taken lightly. If your business suffers a breach and you are found liable for PCI compliance violations, you could:
- Have to absorb any and all fraud that occurred during the breach. This could easily be hundreds of thousands of dollars.
- Lose your customer’s trust, reducing customer lifetime values and overall revenue.
- Shell out thousands in fines.
- Pay all the legal costs, settlements, and judgments that accompany a customer lawsuit.
- Lose your business’s ability to accept credit cards.
- Just plain go out of business.
How do you become PCI Compliant?
First off, achieving PCI compliance typically involves completing a yearly self-assessment questionnaire (SAQ) and/or conducting and passing quarterly PCI security scans.
PCI Compliance software has made it a lot easier to manage in recent years and can sometimes eliminate the need to fill these questionnaires out altogether, but you can also download the questionnaire directly from the council’s site.
A couple of things to note before we dive in:
- Just because you use software that is PCI compliant does not mean YOU are PCI compliant.
- The most common PCI pain points for businesses occur around the storage and transmission of cardholder data and network security.
- Having proper documentation and consistently scanning is the most effective way to reduce your risk of a breach.
- You will be charged a noncompliance fee if you continue to accept credit cards without being secure.
The two most important steps of the payment process you need to focus on securing are when cardholder data is captured at your point of sale and when it flows into your payment system, but merchant-based vulnerabilities can happen almost anywhere in the card-processing ecosystem.
- Card readers & point of sale systems/devices
- Mobile devices
- Personal computers or servers
- Networks & wireless access routers
- Remote-access connections
- Payment card data stored in paper-based records
The PCI Compliance Checklist
The security council offers a checklist for staying compliant on their site.
These are 12 guidelines supplied by the payment card companies that are designed to be a thorough and achievable defense against consumer information breaches.
See the complete PCI Compliance Checklist
How much does it cost to be PCI compliant?
The costs vary dramatically by industry and size, starting anywhere from $500 annually to well over 50k per year.
Breaches are not rare
The average breach costs $4 million dollars, and more than 898 million records have been compromised across 4,823 breaches made between January 2005 & April 2016, according to privacyrights.org.
And those are just the ones that were publicly reported.
PCI Compliance differs by size and cardmember association
Full compliance with PCI SSC Version 3.2 is now mandatory as of February 1, 2018, and these guidelines change according to the size of your business and cardmember association.
Most businesses fall into Level 4, which we’ll cover below.
In the past, the security council noticed that businesses were only checking for PCI compliance once a year, typically in quarter 4. To combat this behavior, the council require merchants to have proof of processes in place at all time.
Security isn’t a once in a while thing, it needs to be a constant effort from businesses, but the PCI Compliance validation changes depending on the size of a business.
Here’s a quick overview of the Merchant Levels, and if you’d like to know more, read our blog on PCI Compliance Levels.
Merchant Level 4
Merchant accepts/processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually.
Merchant Level 3
Merchant accepts/processes 20,000-1 million Visa or MasterCard online transactions annually.
Merchant Level 2
Merchant accepts/processes 1 million-6 million Visa or MasterCard online transactions annually.
Merchant Level 1
Merchant accepts/processes over 6 million Visa transactions per year, has a data breach that resulted in account data compromise, and/or is identified as Level 1 by Security Standards Council.
Staying PCI Compliant is easier than ever
With Tidal at your side, you can view your compliance status, easily update your account, and run on-demand scans from our convenient dashboard.
Recurring and on-demand PCI Compliance Scans
Access unlimited on-demand scanning of your network. Launch new scans, add new networks to scan, run scans against your internal network to scan for potential vulnerabilities, and even pull past scan reports in an instant.
Scan your network anytime you’d like to check for vulnerabilities and/or violations, add additional networks to scan, and easily check previous scan reports.
$100,000 in breach coverage
We’ll cover you for up to your first $100,000 in damages and fines in case of a breach.
Questionnaires to help you stay on top of PCI Compliance
Take out the guesswork by signing and submitting self-assessment questionnaires online with our compliance dashboard.
Use a modern and convenient online dashboard
Centralize your compliance documents & SAQ and take action against issues within our web dashboard.
The sooner you switch your payment processing to Tidal, the better and safer your business will be.