As a small business owner, you’ve probably heard about the PCI DSS (Payment Card Industry Data Security Standard). But did you know that all companies that process credit card transactions must not only adhere to these requirements, but that they need to certify their PCI compliance annually?
PCI requirements are quite strict, and for good reason! We’ve all heard about the widespread payment hacking that has affected millions of consumers.
Here’s a breakdown of what all small business owners need to know about PCI requirements.
What is PCI Compliance?
If you are a merchant who accepts credit and debit card payments, you are responsible for securely storing, processing, and transmitting cardholder data. The PCI Data Security Standard (PCI DSS) is developed and maintained by the PCI Security Standards Council to provide a set of requirements for the prevention, detection and reaction to cardholder data security breaches that could affect your business.
PCI Compliance Levels
To become PCI compliant, your business needs to implement and maintain a series of requirements that create a secure payments environment, protecting your customers and maintaining privacy for their payment card data.
To certify compliance, most merchants (except extremely large ones) must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC) annually.
The size of your business and the number and type of transactions you complete each year determines the level of compliance you must maintain and the complexity of the SAQ you must complete. Overall, there are four levels of PCI compliance.
Small businesses processing fewer than 1 million transactions per year are considered Level 4 merchants, as long as fewer than 20,000 of those transactions are classified as e-commerce (your customers enter transactions themselves on a website). If your credit card processing exceeds those levels, your business falls into a higher compliance level.
How you process your transactions is also important. There are different types of SAQ for merchants that process exclusively card-not-present MOTO (mail order/telephone order) transactions, e-commerce (web) transactions, card-present POS (Point of Sale, this includes using a swipe device on a mobile phone or tablet) transactions, or a combination of the three.
PCI Compliance Basics
The PCI DSS is comprised of 12 core requirements designed to protect cardholder data wherever it is transmitted or stored.
The details are highly complex, but luckily as a PaySimple merchant, you don’t need to concern yourself with most of them. PaySimple is a Level 1 PCI DSS certified Service Provider, and as such simply using the PaySimple system for all your credit card processing takes care of most of the PCI Requirements.
However, PaySimple can’t certify PCI Compliance for you. And, there are things you as a merchant are required to do in order to ensure that your business remains PCI Compliant.
In order to be considered PCI compliant, your business must be sure to:
- Only process credit cards using a PCI Compliant Service Provider or PCI Approved Software (like PaySimple)
- Never store the CID/CVV2 card security code in any format, in any way, ever
- Never store the magnetic track data from any card, in any format, in any way, ever
- Encrypt ANY electronic storage of full credit and debit card numbers
- Any paper document containing a full credit card number must be kept in a secure location (locked file drawer/safe) when not in use
- Only employees with a business need should have access to credit card numbers
- Prohibit sharing of User Ids and Passwords and use of Group User accounts
- Require strong passwords (7+ alpha-numeric characters) for all system access
- Immediately disable access for all terminated employees
- Secure and regularly examine all POS swipe devices for signs of tampering
- Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default User accounts and passwords
- Create a security policy for your business that addresses all aspects of the PCI DSS (See a sample for PaySimple merchants here)
Helpful PCI Compliance Resources
- For additional information about PCI compliance and why you need to become compliant, read our PCI Compliance FAQs.
- PaySimple has a special arrangement with Vantiv (NPC) that enables us to offer most Level 4 MOTO merchants a greatly simplified PCI Compliance program. To complete your PCI compliance certification as a Vantiv (NPC) credit card processor customer, follow these guidelines to complete your annual PCI certification: PCI Compliance Vantiv
- To complete your PCI compliance certification as a NAB credit card processor customer, use the steps outlined to complete your annual PCI certification: PCI Compliance NAB
Start a 14 day Free Trial to accept credit cards seamlessly and securely with PaySimple: