As a small business owner, you’ve probably heard about the PCI DSS (Payment Card Industry Data Security Standard). However, did you know that all companies that process credit card transactions must not only adhere to these requirements, but also certify their PCI compliance annually? PCI compliance requirements are quite strict, and for good reason. Widespread payment hacking has affected millions of consumers. Here’s a breakdown of what all small business owners need to know about their PCI compliance requirements, how to ensure compliance, and how to integrate PCI best practices into their daily processes.
What Are PCI Compliance Requirements?
If you are a merchant who accepts credit and debit card payments, you are responsible for securely storing, processing, and transmitting cardholder data. The PCI Data Security Standard (PCI DSS) is developed and maintained by the PCI Security Standards Council to provide a set of requirements for the prevention, detection, and reaction to cardholder data security breaches. These standards are designed to protect merchants and their customers from breaches that could negatively affect their business, finances, and reputation.
Meeting PCI compliance requirements is a critical part of running a successful business, though often overlooked by small to medium sized businesses. As we’ll discuss shortly, operating in a PCI compliant manner is simply good business.
Think about PCI compliance as the golden rule of payment processing—secure others’ payment information as you would your own. You wouldn’t want companies to broadcast your credit card information online, throw away papers that have your personal information on it, or let just anyone look at your transaction history, personal profile, and account numbers.
Make sure that you protect your customers with the same vigilance you use to protect yourself. PCI compliance guidelines help you do that.
What Are The PCI Compliance Levels?
To become PCI compliant, your business needs to implement and maintain a series of requirements that create a secure payments environment. This protects your customers and maintains privacy for their payment card data.
The size of your business and the number and type of transactions you complete each year determines the level of compliance you must maintain. There are four levels of PCI compliance. In general, merchants fall into the following categories based on the amount of transactions (and type) they process annually.
- Level 1: Over 6 million card transactions per year
- Level 2: Between 1-6 million card transactions per year
- Level 3: Between 20,000 to 1 million card transactions per year
- Level 4: Fewer than 20,000 card transactions per year
However, most small businesses that process fewer than 1 million transactions per year are considered Level 4 merchants, as long as fewer than 20,000 of those transactions are classified as e-commerce (your customers enter transactions themselves on a website).
Further, if your credit card processing exceeds Level 4 amounts, your business falls into a higher compliance level (Level 3). How you process your transactions is also important. There are different compliance requirements for merchants that process exclusively card-not-present MOTO (mail order/telephone order) transactions, e-commerce (web) transactions, card-present POS (Point of Sale, this includes using a swipe device on a mobile phone or tablet) transactions, or a combination of the three.
Get help with your PCI compliance requirements
PCI compliance may seem overwhelming—even the acronym is a little daunting. There are a lot of complex technical requirements that must be met in order to secure credit card information such as router configurations, database configurations, encryption keys, access controls, and intensive file monitoring.
If your head is spinning right now, then there is just one thing you need to know to simplify the entire PCI process: get a PCI certified company to handle all of your credit card processing, transaction history storage, and credit card account storage. PaySimple is a Level 1 PCI DSS certified Service Provider – handling most PCI compliance requirements.
Once you move all data entry, processing, and data storage to a PCI Certified partner, you’re 90% of the way to PCI compliance. Getting the rest of the way there is no problem at all.
To certify compliance, most Level 4 merchants must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) annually. Otherwise, you simply need to create a security policy for your company and follow it on a daily basis, as we’ll explore in the next section.
How To Meet PCI Compliance Requirements For Businesses
The PCI DSS is comprised of twelve core requirements designed to protect cardholder data wherever it is transmitted or stored.
As noted, PaySimple is a Level 1 PCI DSS certified Service Provider and handles a majority of compliance requirements. However, all requirements must be met and there are actions your business is required to do in order to ensure that your operations remain PCI compliant.
In order to be considered PCI compliant, your business must be sure to:
- Only process credit cards using a PCI Compliant Service Provider or PCI Approved Software (like PaySimple)
- Never store the CID/CVV2 card security code in any format, in any way, ever (the three digit number on the back of Visa/MasterCard/Discover cards, or the four digit number on the front of American Express cards)
- Never store the magnetic track data from any card, in any format, in any way, ever
- Encrypt ANY electronic storage of full credit and debit card numbers
- Keep any paper documents containing a full credit card number in a secure location (locked file drawer/safe) when not in use
- Allow only employees with a business need to have access to credit card numbers
- Never share user IDs and passwords or use of group user accounts
- Use strong passwords (at least 7+ alpha-numeric characters) for all system access
- Immediately disable access for all terminated employees
- Secure and regularly examine all POS swipe devices for signs of tampering
- Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default user accounts and passwords
- Create a security policy for your business that addresses all aspects of the PCI DSS (see a sample for PaySimple merchants here)
For most low-volume merchants, that’s it. For higher volume merchants — those that process more than 1 million transactions per year, or more than 20,000 online transactions per year — a quarterly scan of your systems is also required. There are many services that can perform these scans for less than $100 per year.
Self-Assessment Questionnaire (SAQ)
Once you have a payment processing partner integrated into your business and your security policy written and implemented, you will need to fill out a short form to certify your compliance. You can obtain the correct form from the PCI website here.
Most low-volume merchants (also called “Level 4” merchants), will use the short Self Assessment Questionnaire A (also known as, “SAQ-A”). You are SAQ-A qualified if your business processes transactions by phone, mail, or via the web. If you process retail transactions, SAQ-B is the survey for you.
Simply fill out the appropriate survey, making sure that you can truthfully answer “Yes” or “Not Applicable” to all of the questions, and then send it to your merchant processing company. You have now completed your annual PCI compliance requirements. Keep your survey on file for next year so that you can send it off and attest to your compliance year after year.
How To Instill PCI Compliance In Your Daily Processes
Now that we’ve discussed PCI compliance requirements, it’s time to discuss what this actually looks like in the course of daily business.
We’ve all been in the situation where we receive a request from a customer asking for something that is in direct conflict with PCI compliance. If it’s the first time they’ve asked, it should be just a one time thing, and you don’t want to upset the customer. So, what should you do?
Choose compliance every time. Your customers will thank you for it.
Making PCI compliance requirements a core part of your business process will make your customers more aware of issues surrounding security and ensure your business is not the cause of an unfortunate breach. You can let customers know you are serious about your PCI compliance requirements by:
- Making sure you only collect credit card information on a secure webpage. Look for the lock icon and the https in the browser bar. (When you collect online payments with PaySimple you can be confident that they are secure.)
- Ensuring your payment processing system is PCI compliant and keeping your business certified using the steps above. Customers can rest assured that you are doing everything possible to protect the credit card and other personal information they entrust to you.
- Always asking for the CVV security code when processing a telephone or online payment. Your payment processing method should never store this information. By asking for this code each time, you are confirming that the person authorizing the transaction has the card in hand.
- Telling your customers that they should never send credit card or bank account numbers via regular email. You can remind them by always including a security notice in the footer of your emails that the communication is not secure and to not reply with account numbers or other sensitive personal information.
Learn More About PCI Compliance With PaySimple
For additional information about PCI compliance and why you need to become compliant, read our PCI Compliance FAQs.
PaySimple also has a special arrangement with Vantiv (NPC) that enables us to offer most Level 4 MOTO merchants a greatly simplified PCI Compliance program. To complete your PCI compliance certification as a Vantiv (NPC) credit card processor customer, follow these guidelines to complete your annual PCI certification: PCI Compliance Vantiv
To complete your PCI compliance certification as a NAB credit card processor customer, use the steps outlined to complete your annual PCI certification: PCI Compliance NAB
It’s time to learn more about how PaySimple can help with your annual PCI compliance requirements. Start a free trial to accept credit cards seamlessly and securely with PaySimple:
Start a 14 day Free Trial to accept credit cards seamlessly and securely with PaySimple: