Running a business is all about the details. Small mistakes can spiral into big issues, and being proactive is your best bet for growth.
PCI compliance is one of those to-dos that can fly under the radar, but the consequences of a breach are devastating. It’s your responsibility as a business owner or manager to stay on top of PCI compliance and protect your customer’s data when processing transactions.
And PCI doesn’t go away the more you grow; it actually gets more complex and important.
We’re going to cover what PCI stands for, the meaning of PCI compliance, why it’s important, and what you can do to stay compliant.
The full acronym, PCI DSS, stands for Payment Card Industry Data Security Standard, which is a set of rules and guidelines that businesses need to follow in order to protect cardholders while supporting credit card transactions.
The standard is established and set by the PCI Security Standards Council who defines PCI DSS as follows:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
The council is managed by executive staff and committee that represents the largest payment conglomerations such as AMEX, JCB, Visa, MasterCard, and Discover. These members of the payment industry are assisted by many advisors throughout the process of updating and creating the requirements.
PCI compliance, required by any merchant, retailer, or organization of any size, means following this set of standards when processing, storing or transmitting a cardholder’s financial information or authentication data.
The history of PCI compliance dates back to the 1990s when internet transactions and breaches first began. Cardmember companies recognized a growing problem and needed a way to formalize cardmember security.
The PCI Security Standards Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc., and they each share in its governance and help guide the council’s work.
While the council is responsible for releasing and updating the general guidelines and questionnaires, it’s the cardmember associations’ responsibility to enforce these guidelines among sellers accepting payment cards.
In order to transact with these cardmember associations, your business must conduct annual assessments and submit them to the council/cardmember associations for review.
Depending on your business, you may need or choose to hire an on-site Qualified Security Assessor or take remote security assessments via third-party companies.
Among the twelve PCI compliance guidelines, four general rules of thumb stand out:
Write policies that proscribe data retention and disposal. Make sure the policies are being practiced. Use encryption. Mask data and render it unreadable. etc.
Use high firewalls that are specially configured. Use anti-virus measures. Configure routers. Review firewalls and routers every 6 months. etc.
Employee screening measures. Least-privilege policies. Documented approvals. etc.
Regular compliance checking, continuous tracking and monitoring, alerts on suspicious activity, auditing logs, and more.
For an overview of all twelve PCI security standards, visit our PCI compliance checklist.
Keeping your cardholder data secure is important for your entire business, regardless of how many stores you have or locations you operate in. A breach is damning for many reasons:
And breaches are not rare; the average breach costs $4 million dollars, and more than 898 million records have been compromised across 4,823 breaches made between January 2005 and April 2016, according to privacyrights.org. And those are just the ones that were publicly reported.
As a small business, within level 3 or 4, PCI compliance is especially important for ensuring that your organization does not incur such hefty legal fees.
Further, providing a safe mode of transaction ensures that consumers trust not only your business with their information and payment method but also the purchasing process overall.
Achieving PCI compliance typically involves completing a yearly self-assessment questionnaire (SAQ) and/or conducting and passing quarterly PCI security scans.
PCI compliance software has made it a lot easier to manage in recent years and can sometimes eliminate the need to fill these questionnaires out altogether, but you can also download the questionnaire directly from the council’s site.
A couple of things to note before we dive in:
The two most important steps of the payment process you need to focus on securing are when cardholder data is captured at your point of sale and when it flows into your payment system, but merchant-based vulnerabilities can happen almost anywhere in the card-processing ecosystem, including:
The security council offers a checklist for staying compliant on their site. These are 12 guidelines supplied by the payment card companies that are designed to be a thorough and achievable defense against consumer information breaches.
We cover all 12 guidelines and more in our PCI compliance checklist.
Full compliance with PCI DSS version 3.2 became mandatory as of May 2018, and these guidelines change according to the size of your business and cardmember association. Most businesses fall into Level 4, which we’ll cover below.
In the past, the security council noticed that businesses were only checking for PCI compliance once a year, typically in Q4. To combat this behavior, the council now requires merchants to have proof of processes in place at all times.
Security isn’t a once in a while thing; it needs to be a constant effort from businesses, but the PCI compliance validation changes depending on the size of a business.
Here’s a quick overview of the Merchant Levels, and if you’d like to know more, read our complete guide to PCI compliance levels.
Merchant accepts/processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually.
Merchant accepts/processes 20,000-1 million Visa or MasterCard online transactions annually.
Merchant accepts/processes 1 million-6 million Visa or MasterCard online transactions annually.
Merchant accepts/processes over 6 million Visa transactions per year, has a data breach that resulted in account data compromise, and/or is identified as Level 1 by Security Standards Council.
Partnering with an experienced and trusted payment processor such as Tidal Commerce simplifies the process and ensures that your business is always in compliance with the latest regulations.
Going above and beyond, Tidal Commerce also enrolls each of its merchants into a breach coverage program, which provides up to $100,000 coverage to merchants in the event of a breach. This coverage is rare in the industry, as normally the merchant is the one to suffer if they are breached and did not understand the responsibility or severity.
The sooner you switch your payment processing to Tidal, the better and safer your business will be.
Subscribe to our newsletter and get payment processing news & insights sent to your inbox.
You can unsubscribe at anytime.