Business tips

Your small business guide to PCI compliance.

By Jereme Sanborn on
post image

As soon as your business starts accepting credit cards, data security becomes priority number one. By partnering with a PCI-compliant payments partner like Payanywhere, you’ll be able to adhere to the PCI DSS standards, ensuring your customers’ credit card information stays safe from prying eyes.

What is PCI DSS?

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of six objectives and 12 requirements designed to keep consumers’ credit card data out of the hands of hackers and identity thieves. All businesses equipped for credit card processing must comply with PCI DSS standards, so PCI compliance had better be part of your overall security plan.

There are four compliance levels. Merchants processing more than 6 million transactions annually across all channels are Level One. Merchants processing 1 to 6 million transactions annually across all channels are Level Two. If you process 20,000 to 1 million transactions per year, your business is a Level Three. Processing less than 20,000 transactions per year puts you at Level Four. Each level has its own requirements. Additional requirements may apply depending on whether you deal mostly in card-present or card-not-present transactions, operate primarily as a physical store or ecommerce store, or do business through multiple channels.

What does PCI compliance look like?

The six PCI DSS objectives give a good overview of compliance requirements. Your business must:

  • Create and maintain secure networks.
  • Protect sensitive cardholder data.
  • Put a vulnerability management program in place.
  • Use strong measures for access control.
  • Monitor and test networks on a regular basis.
  • Establish and maintain an information security policy.

Each objective has between one and three required standards for compliance.

Although it sounds complex, the process is actually easiest for level three and four businesses. At these levels, you can fill out a self-assessment questionnaire (SAQ) once a year instead of having a professional audit. You also need to undergo a network security scan, which must be performed by a vendor with PCI Security Standards Council approval. The final step is submitting an Attestation of Compliance. All this information goes to the bank where you have your merchant account.

Compliance fees are generally built into the price of your payment platform. However, this doesn’t exempt you from compliance duties. Documentation and scans are still required. You’re also responsible for developing and implementing a security policy, keeping software and applications updated, and maintaining strict network access rules.

What are the consequences of noncompliance?

If you don’t comply with PCI DSS standards, your business could:

  • Be fined between $5,000 and $100,000 a month.
  • Be charged higher transactions fees.
  • Have its merchant account terminated.
  • Lose customer data to hackers in a breach.
  • Lose credibility among customers.

Breaches are among the most expensive of these consequences. In addition to recovery costs, your business also becomes a Level One on the PCI standards scale and must undergo a much more rigorous assessment process.

Choosing a PCI-compliant payment platform is a good first step toward meeting PCI DSS standards. Be consistent with your security plan and stay on top of annual assessments to remain compliant. You’ll maintain a more secure network and assure customers they can shop at your physical or online store with confidence.

At Payanywhere, we offer an enhanced and frictionless PCI compliance experience called PCI Plus. It eliminates program, non-compliance, and PCI fees (not to mention SAQs, scans, administrative work, and third-party requirements) for qualifying merchants while also offering protection in the event of a data breach.