Running a business is all about the details. Small mistakes can spiral into big issues, and being proactive is your best bet for growth.
PCI Compliance is one of those to-dos that can fly under the radar, but the consequences of a breach are devastating. It’s your responsibility as an owner or manager to stay on top of PCI compliance and protect your customer’s data when processing transactions.
And PCI doesn’t go away the more you grow, it actually gets more complex and important.
We’re going to cover the meaning of PCI Compliance, why it’s important, and what you can do to stay compliant.
PCI Compliance is a set of rules and guidelines designed to protect cardholders that businesses need to follow in order to support credit card transactions.
PCI stands for Payment Card Industry, and here’s the official definition released by the council.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
The history of PCI Compliance dates back to the 1990s when internet transactions and breaches first began. Cardmember companies recognized a growing problem and needed a way to formalize cardmember security.
The PCI Security Standards Council Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc., and they each share in its governance and help guide the council’s work.
While the council is responsible for releasing and updating the general guidelines and questionnaires, it’s the cardmember associations’ responsibility to enforce these guidelines among sellers accepting payment cards.
PCI Compliance is the act of staying true to the guidelines set out by the credit card companies. They involve rules about storing transaction data, keeping secure systems, installing firewalls, etc.
In order to transact with these cardmember associations, your business must conduct annual assessments and submit them to the council/cardmember associations for review.
Depending on your business, you may need or choose to hire on-site certified assessors or remote security assessments via third-party companies.
All businesses, essentially. If you want to support credit card transactions, then you’ll need to prove your compliance.
Keeping your cardholder data secure is important for your entire business, regardless of how many stores you have or locations you operate it. A breach is damning for many reasons:
Again, this isn’t a choice. It’s not just economically and ethically sound, you cannot take credit cards without being PCI compliant.
And even if it weren’t mandatory, the potential injuries of a breach are deep.
Breaches are not to be taken lightly. If your business suffers a breach and you are found liable for PCI compliance violations, you could:
First off, achieving PCI compliance typically involves completing a yearly self-assessment questionnaire (SAQ) and/or conducting and passing quarterly PCI security scans.
PCI Compliance software has made it a lot easier to manage in recent years and can sometimes eliminate the need to fill these questionnaires out altogether, but you can also download the questionnaire directly from the council’s site.
A couple of things to note before we dive in:
The two most important steps of the payment process you need to focus on securing are when cardholder data is captured at your point of sale and when it flows into your payment system, but merchant-based vulnerabilities can happen almost anywhere in the card-processing ecosystem.
The security council offers a checklist for staying compliant on their site.
These are 12 guidelines supplied by the payment card companies that are designed to be a thorough and achievable defense against consumer information breaches.
See the complete PCI Compliance Checklist
The costs vary dramatically by industry and size, starting anywhere from $500 annually to well over 50k per year.
The average breach costs $4 million dollars, and more than 898 million records have been compromised across 4,823 breaches made between January 2005 & April 2016, according to privacyrights.org.
And those are just the ones that were publicly reported.
Full compliance with PCI SSC Version 3.2 is now mandatory as of February 1, 2018, and these guidelines change according to the size of your business and cardmember association.
Most businesses fall into Level 4, which we’ll cover below.
In the past, the security council noticed that businesses were only checking for PCI compliance once a year, typically in quarter 4. To combat this behavior, the council require merchants to have proof of processes in place at all time.
Security isn’t a once in a while thing, it needs to be a constant effort from businesses, but the PCI Compliance validation changes depending on the size of a business.
Here’s a quick overview of the Merchant Levels, and if you’d like to know more, read our blog on PCI Compliance Levels.
Merchant accepts/processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually.
Merchant accepts/processes 20,000-1 million Visa or MasterCard online transactions annually.
Merchant accepts/processes 1 million-6 million Visa or MasterCard online transactions annually.
Merchant accepts/processes over 6 million Visa transactions per year, has a data breach that resulted in account data compromise, and/or is identified as Level 1 by Security Standards Council.
With Tidal at your side, you can view your compliance status, easily update your account, and run on-demand scans from our convenient dashboard.
Access unlimited on-demand scanning of your network. Launch new scans, add new networks to scan, run scans against your internal network to scan for potential vulnerabilities, and even pull past scan reports in an instant.
Scan your network anytime you’d like to check for vulnerabilities and/or violations, add additional networks to scan, and easily check previous scan reports.
We’ll cover you for up to your first $100,000 in damages and fines in case of a breach.
Take out the guesswork by signing and submitting self-assessment questionnaires online with our compliance dashboard.
Centralize your compliance documents & SAQ and take action against issues within our web dashboard.
The sooner you switch your payment processing to Tidal, the better and safer your business will be.
Subscribe to our newsletter and get payment processing news & insights sent to your inbox.
You can unsubscribe at anytime.