A Quick Guide to PCI Compliance for Small Businesses

Often small businesses ponder whether they need to achieve PCI compliance and what benefits will they derive from it. This quick guide helps you understand what PCI compliance is and why it is important for your business, and the consequences of non-compliance.

What is PCI Compliance?

PCI Compliance cites a set of practices that you will have to follow to protect the credit card data of consumers’ from being stolen or misused by cybercriminals. PCI DSS is a set of regulations and standards developed by the PCI Security Standards Council and are enforced by major payment card brands such as American Express, JCB, Discover, MasterCard, and Visa.

The purpose of PCI is to protect the entire payment card ecosystem and prevent a data breach. All small businesses must abide by PCI DSS standards if they transact via credit cards. These standards apply to merchants, merchant services provider processing debit/credit card payment transactions. PCI DSS Compliance is an ongoing process undertaken by companies to ensure adherence to security standards laid down by PCI SSC.

What is the Need to Be PCI Compliant?

Businesses of all kinds, irrespective of their size, revenue and number of credit card transactions in a year, need to be PCI Compliant. PCI DSS compliance prevents cybercriminals from stealing and exploiting sensitive payment card data.

If a small business accepts payments through debit/credit cards and processes, stores, or transmits the cardholder data, it must comply with PCI standards.

Payment brands have their own PCI compliance programs, so small businesses must contact their payment brands directly for information about the compliance programs. The burden of PCI compliance can be overwhelming for small businesses, but non-compliance can attract severe penalties.

Which PCI Level Applies to my Business?

For merchants, there are four PCI DSS Compliance levels. Often PCI compliance level depends on the number of card transactions a merchant handles and the card brand.

In general, businesses fall into the following categories based on the number and type of transactions they process in a year.

The PCI compliance levels are as follows:

• Level 1

1. Merchants processing more than 6 million debit or credit card transactions annually, irrespective of the channel.
2. Any merchant that is determined as Level 1 by the payment brand.
3. A merchant who has been a subject of the data breach.

• Level 2

Merchants processing credit/debit card transactions between 1 million to 6 million annually regardless of the channel.

• Level 3

Any merchant who processes 20,000 to 1 million debit/credit e-commerce transactions per year.

• Level 4

Any merchant processing less than 20,000 e-commerce transactions per year.

The service provider (defined as a business entity other than a payment brand directly involved in processing, storing, and transmitting cardholder data) is divided into two levels. Level 1 has service providers that process over 300,000 credit card transactions per year, and Level 2 has a service provider processing less than 300,000 credit card transactions yearly.

Level 1 Merchants and the service providers are required to get their PCI compliance validated by a Qualified Security Assessor (QSA). Others can self-evaluate their PCI DSS compliance through a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) and maintain data security standards.

What are PCI Requirements?

The requirements a small business must meet to be PCI compliant include:

• An up-to-date point of sale. It includes the use of credit card terminals, PIN Pads, point of sale and payment gateway software that is current and PCI-compliant and validated and safeguard router.
• Do not store any cardholder data on computers or papers.
• Use of strong passwords
• Training employees about small business PCI compliance
• Installation of firewalls

Consequences of not Being PCI Compliant?

Any failure on merchants part to comply with PCI regulations attracts severe penalties and fees. The non-compliance penalties are adjusted at the payment brands discretion and range between $10,000 to $50,000 in fines. It may result in losing the mobile credit card processing rights. Complying with PCI standards helps in the prevention of data breaches and retaining customers’ trust and loyalty.

Ho Can my Business Meet PCI Standards?

Level 1 merchants are required to get their PCI compliance validated from a Qualified Security Assessor (QSA), and they undergo rigorous compliance validation. Level 2, 3 and 4 merchants complete their compliance validation via a yearly Self-Assessment Questionnaire (SAQ).

The steps to follow are:

• PCI DSS Scoping
• Assessment
• Reporting
• Clarifications

Conclusion:

PCI compliance is a must for every business irrespective of their size as it helps merchants protect cardholders data and prevent data breaches.