PCI Compliance Guide

December 30, 2019

The number of businesses that accept credit cards as a payment method is continuously growing. With that trend, there is also a surge of security risks associated with handling those transactions. PCI compliance is all about keeping every single payment on the highest security level and providing a safe environment for consumers and merchants alike.

Just in 2018, $24.26 billion was lost due to payment card fraud globally, and the US accounts for 38.6% of all losses related to credit card frauds in that same year. And a 2015 report shows that merchants and ATM acquirers bore 28% of the liability for those financial losses. This is why the security of customers’ data is essential for a successful business.

As a merchant, your main goal is to have customers who feel safe doing business with you. That is why you should get familiar with risks that come with accepting cashless payments, and with the ways you can protect yourself and your customers.

Whаt Iѕ PCI Compliance and Why Is It Important for Every Merchant?

Payment Card Industry (PCI) compliance contains rules related to data security standards (DSS), whose main purpose is to reduce credit and debit card loss. These standards are established and enforced by five credit card associations that are members of the PCI Security Standard Council (SSC): Visa, MasterCard, Discover, American Express and JCB.  The Council is a global open body that provides critical tools needed for the implementation of these security standards.

This means that every merchant that accepts payment cards with the logo of the five members of the PCI SSC must follow the established rules.

Merchants should know that PCI compliance rules are there to ensure that a secure environment is created for cardholders’ information, which includes card numbers, expiration dates, and security codes. Being PCI compliant brings many benefits to your business and its development.

PCI Data Security Standards Every Merchant Must Meet

You can find current PCI DSS on the PCI Security Standards Council website. There are 12 general data security requirements that every merchant must adhere to, but depending on your business, there are over 200 sub-requirements. Those basic requirements are grouped into six categories:

  • Build and preserve a secure network and system
  • Make sure that cardholder data is protected
  • Preserve vulnerability management program
  • Enforce strong access and control measures
  • Regularly supervise and test networks
  • Maintain a data security policy

As a merchant, you should remember that all types of businesses, small or large alike, can suffer greatly from data breaches. Attackers will use any vulnerability of the system.

Make Data Secure Again

You, as a merchant, process, transmit or store card owners’ information and sensitive authentication data in your system. This is why you need to keep it private and safe since credit card fraud is a massive problem in the US.

There are many ways a fraud can happen, the most common ones are if your customers lose their cards, account number or PIN. On the other hand,  hackers can also obtain that information through a data breach.

All of this points out that a high level of security will help your business not only to build trust with your customers but to avoid massive financial losses.

PCI compliance has to do with the administrative and technological parts of the business, and it is kept up to date regularly. To additionally increase the security of your website, analyze it, and update apps regularly.

Additional Ways to Eliminate Risks

You can use many ways to reduce data breach risks. If you pick a payment gateway as an option, you won’t need to be PCI compliant. Your payment provider will take care of payments and data security. Meaning that the information of your customer that you hold is protected and encrypted by the provider.

If you use a payment gateway, you should choose the one with the top-level of PCI compliance. This will ensure the safety of the payments carried out on your website.

If you want to increase the level of security, one of the recommendations is not to store cardholder data if you don’t really need it.

Who Needs PCI Compliance?

The fact that 76% of consumers in America shop online and 25% of those do it at least once a month, is a sign to merchants that they should acknowledge the need for high-level security of online transactions. The online community of buyers is only getting bigger, which means that having a safe business environment will only benefit you in the long run. Not only that but if you own a brick and mortar store, you should know that people nowadays are carrying plastic more than cash, so you should give your customers the option of paying with cards.

If your business has non-cash payment options for any goods that go through third-party financial service providers, the PCI compliance will apply to them.

Should Your Business Be PCI Compliant?

Merchants should be aware of how important it is to be PCI compliant. Although you are not required by law to be PCI compliant, if your payment system gets breached and your customers’ information stolen, you might end up being sued. Also, if the breach happens, you might be found liable for losses sustained by banks and financial service providers.

If your enterprise has multiple divisions under the same tax ID, you are only required to validate once a year for all locations and submit passing network scans for each location quarterly.

Overall, PCI compliance means protecting your business from fraud. You will be shielded from account takeovers, stolen and duplicate cards. By being PCI compliant, you maintain good working relationships with financial service providers and uphold customers’ trust.

What If My Business Is Not PCI Compliant?

There are many reasons why you should reconsider your business strategy. Firstly, non-compliant companies can be faced with massive fees. Penalties that come from not being compliant are monthly fines that can reach $100,000.

Also, if you are building a name for your company, sustaining a data breach can result in losing reputation and customers. Yahoo, Facebook, Marriott are just some of the major companies that sustained massive data breaches in the last few years, and they have all paid a price for it.

Merchants also need to show banks the ability of their businesses to prevent data breaches. If your company can’t meet these conditions, you could lose the ability to process card payments. Without the option of card processing, your business can take a significant hit, since nowadays cashless payments are only increasing.

Levels of PCI Compliance

As a business owner, you should know that merchants are classified under four levels of PCI compliance. That classification is based on the number of card transactions over the course of 12 months. You should know that if there is a breach that compromises the information of your clients, you should check your level of compliance because you might have moved on to a higher level in the meantime.

Determining Your Merchant Level and Self-Assessment Questionnaire (SAQ)

You, as a merchant, can determine your level of PCI compliance by consulting a merchant service provider or by using reporting tools. If you qualify for levels 1, 2, or 3, you will have more complex compliance requirements based on the size and type of your business. If your business is at one of these levels, you are more likely to have an internal IT and compliance team to implement and monitor your programs.

If you are a merchant who identifies as a small or medium-sized business, you will fall into the level 4 category. Here, compliance requirements are more straightforward.

You will complete the Self-Assessment Questionnaire based on how your business accepts card payments. Every merchant has to go through this questionnaire. It consists of yes or no questions regarding the PCI Data Security Standard (DSS) requirements. Specific questionnaires are created for different merchant environments. You should remember that all merchants should be PCI compliant if they want to avoid paying fines, but not all of them are obligated to perform the scan, which depends on:

  • The payment terminal– if you are using one with an internet cable, it will be faster but with a higher security risk than a telephone cable, and here the scan will be required.
  • eCommerce business – owners should be prepared in regards to the technical questions, meaning they should know how the website is set up and if it has custom web application apps.
  • Business updates– types of business profiles are determined by how the business is set up. If it is set correctly and kept up to date, merchants will always be able to look at their profiles and answer questions relevant to their business.

If you are not sure how to fill out this questionnaire, contact your payment service provider to find out.

Level 1 Merchant

You should know the volume of your transactions so that you could precisely know what level of PCI compliance your business belongs to.

Merchants in the level 1 process over six million card transactions annually. This includes all channels like eCommerce, card present, and card not present. If you are a global merchant that processes a total of six million transactions in different regions, your entire business may qualify for level one.

Obligations you have when you are in level 1 are:

  • Completing a yearly Report on Compliance (ROC) using a Qualified Security Assessor (QSA)
  • Completing a quarterly network scan with the assistance of Approved Scanning Vendor (ASV)
  • Completing the Attestation of Compliance Form

Level 2

Being a level 2 merchant means that your business processes one to 6 million card transactions per year through all channels.

If you established that you are a level 2 merchant, you must do the following:

  • Completing an Annual Self-Assessment Questionnaire (SAQ)
  • Completing a quarterly network scan by an ASV
  • Completing the Attestation of Compliance Form

Level 3

Merchants on the level 3 process between 20,000 and one million card transactions a year, solely with eCommerce processing methods.

And if you are one of them, you should think about:

  • Completing an Annual SAQ
  • Completing a quarterly network scan by an ASV
  • Completing the Attestation of Compliance Form

Level 4

Being a level 4 merchant means you process up to 1 million card transactions per year through all channels, and you don’t process more than 20,000 card transactions annually solely via eCommerce.

When you are qualified to be in level four, you should think about your obligations:

  • Completing an Annual SAQ
  • Completing a quarterly network scan by an ASV
  • Completing the Attestation of Compliance Form

Benefits of PCI Compliance

As a business owner, you should know that being PCI compliant is an investment with a long list of advantages:

  • Security improvement leads to a reduced risk of security breaches. Both you and your customers benefit from this. When you make sure that your business is safe, your customers will feel like that, as well.
  • The growth of trust between your business and customers will have a direct impact on your profit. And since the eCommerce market is expected to rise to 4.9 trillion dollars by 2021, having loyal customers who could recommend your company to others is excellent for your business.
  • Being a part of the PCI compliance system means you get to avoid high charges and fines that are imposed on businesses that are not sticking to the rules. With credit card fraud increasing by 18.4% in 2018, compliance seems like the smart choice.

Frequently Asked Questions

If some parts of the PCI compliance seem complicated, finding answers to frequently asked questions might help you grasp the concept better. Knowing the benefits of PCI compliance and downsides of non-compliance is the right step in understanding it, but there can still be so many questions you need answers to. As a merchant, you should be familiar with all the details, because knowing the way your business works and the ways you can improve it can only benefit you.

How does the PCI compliance rules apply when accepting credit card payments over the phone?

Are you taking credit card payments over the phone, and you are wondering how the PCI compliance rules apply? Firstly, know that you can be PCI compliant and receive credit card payments through this channel. When you do this, you should gather as much information from your customer as possible. By doing this, you will reduce processing fees as well as lower the risk of fraud.

Statistics show that 69% of frauds begin when a consumer is contacted via phone. To prevent this, you should train every employee that works with credit card information to be familiar with the applicable rules.

The people that are taking information over the phone should ask customers about full credit card numbers, the full name that is on the card, expiration dates, billing address, and security code. Also, if your business records phone calls, ensure that customer information is redacted. Every bit of information that you gather should be kept in a secure location and discarded after a customer receives the order, and the transaction is completed.

What is card owners’ data?

As a merchant who handles card owners’ information, you should know precisely what you’re dealing with. PCI security standards council characterizes card owners’ data as the full Primary Account Number (PAN) including the following information:

  • Card owners name
  • Date of Expiration
  • Service code
  • Sensitive Authentication Data like magnetic stripe info, CID, PINs, and others.

What are the right methods for storing credit card information?

Are you looking for the right way to store obtained credit card data? Many merchants do this for the purpose of recurrent billing. If you are sure that this is the best thing for your business, utilize a third-party credit card vault. Having a vault means the data will be removed from your possession, and you will be given a token that you can use for recurring billing. Having a third party lowers the risks of the data breach, and it improves your security.

If you don’t store data, do you still need to be PCI compliant?

When your business accepts credit or debit cards as a method of payment, you should be PCI compliant. Also, if you choose not to store card information for any reason, the rules still apply to you, only not keeping sensitive data increases the security of your customers. Not keeping the information makes compliance easier.

Does having an SSL certificate make me PCI compliant?

Here, the short answer would be no. Owning an SSL certificate does not protect you from attacks and intrusions online. SSL Certificates are files that allow secure connection from a web server to a browser. But, you should know that there are other steps to take if you want to achieve full PCI compliance.

What is a vulnerability scan, and do I need it to validate compliance?

A vulnerability scan is an automated tool that checks your system and looks for weaknesses. This tool will do a non-intrusive scan of your network and web app. When it is done, it will show you if there are weaknesses in your operating system.

A quarterly scan by a PCI SSC Approved Scanning Vendor is required if you want to maintain your level of compliance.

How often do you need to have a vulnerability scan?

Worrying about your business security levels means you have to keep track of weaknesses. Vulnerability scan discovers them in your network, that is why you have to have it every quarter.

Does running a business from home make me a vulnerable target?

If you are a merchant that is running a business from home, you are a serious target for hackers. Home businesses are usually the most vulnerable ones, simply because they are not well protected.

If I am compromised, what should I do?

You should know that although many data breaches are easily prevented, they can still happen to businesses of all sizes. If you are a merchant that has a small or mid-sized business and you find out you have been breached, you should report to:

  • the Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents
  • PCI Council, Responding to a Data Breach
  • Electronic Transactions Association (ETA), Data Breach Response

Do certain states have laws requiring data breach notifications to the affected parties?

As a merchant and business owner, you should know that California implemented a breach notification law in 2003, and now almost every state applies similar legislation. Thos rules require individuals or entities that have suffered a data breach to notify the affected customers and third parties of the incident and take specific steps to remedy it, in line with the appropriate state regulations.

GET A QUOTE

It never hurts to know how much you can save.

Get a Quote

Step 1 of 2

50%