As a small business owner, you’ve probably heard about the Payment Card Industry Data Security Standard (PCI DSS). You are required to follow these standards because you process credit card transactions. However, you are also required to certify your PCI compliance annually.
Read on to learn what you need to know about the compliance requirements, how to stay compliant, and how to integrate PCI best practices into your daily operations.
What Are PCI Compliance Requirements?
The PCI requirements are a set of security standards requiring merchants that accepts credit and debit card payments to securely store, process and transmit cardholder data. The requirements were developed as a result of widespread security breaches, specifically hackers stealing credit card data.
There are 4 compliance “levels,” broken out by how many transactions the merchant processes each year, along with the types of transactions being processed.
What Are The 4 Compliance Levels?
The size of your business and the number and type of transactions you complete each year determines the level of compliance you must maintain.
There are 4 levels of PCI compliance:
- Level 1: Over 6 million card transactions per year
- Level 2: Between 1-6 million card transactions per year
- Level 3: Between 20,000 to 1 million card transactions per year
- Level 4: Fewer than 20,000 card transactions per year
Most small businesses are considered Level 4 merchants because they process fewer than 1 million transactions per year. This also means, however, that fewer than 20,000 of those transactions are classified as e-commerce (your customers enter transactions themselves on a website).
How you process your transactions is also important. There are different compliance requirements for merchants that process mail order/telephone, e-commerce (web), Point of Sale (POS) or a combination of these.
PaySimple can help with your PCI compliance requirements
PCI compliance may seem overwhelming — there are a lot of complex, technical requirements that must be met in order to secure credit card information.
The good news is that PaySimple is a Level 1 PCI DSS certified Service Provider, which means we can handle about 90% of your PCI compliance requirements.
To certify compliance, most Level 4 merchants must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance annually. Aside from that, you just need to create a security policy for your company and follow it on a daily basis. More on that below.
How To Meet PCI Compliance Requirements For Businesses
The PCI DSS is comprised of 12 core requirements designed to protect cardholder data wherever it is transmitted or stored.
In order to be PCI compliant, you must do the following:
- Only process credit cards using a PCI Compliant Service Provider or PCI Approved Software (like PaySimple).
- Never store the card security code (the three digit number on the back of Visa/MasterCard/Discover cards, or the four digit number on the front of American Express cards).
- Never, ever store the magnetic track data from any card.
- Encrypt ANY electronic storage of full credit and debit card numbers.
- Keep any paper documents containing a full credit card number in a secure location (locked file drawer/safe) when not in use.
- Allow only employees with a business need to have access to credit card numbers.
- Never share user IDs and passwords or the use of group user accounts.
- Use strong passwords (at least 7+ alpha-numeric characters) for all system access.
- Immediately disable access for all terminated employees.
- Secure and regularly examine all POS swipe devices for signs of tampering.
- Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default user accounts and passwords.
- Create a security policy for your business that addresses all aspects of the PCI DSS (see a sample for PaySimple merchants here).
For most low-volume merchants, that’s it. For higher volume merchants — those that process more than 1 million transactions per year, or more than 20,000 online transactions per year — a quarterly scan of your systems is also required. There are services that perform these scans for less than $100.
Self-Assessment Questionnaire (SAQ)
Once you have a payment processing partner integrated into your business and your security policy written and implemented, you will need complete a certification form, available on the PCI website.
Most Level 4 businesses will use the Self-Assessment Questionnaire A (also known as “SAQ-A”). You are SAQ-A-qualified if you process transactions by phone, mail, or online. If you process retail transactions, you must complete the SAQ-B survey.
Complete your survey and send it to your merchant processing company. You have now completed your annual PCI compliance requirements.
Remember: Keep the survey on file because you will need to do it each year to remain compliant.
How Do I Add PCI Compliance To My Daily Operations?
Making PCI compliance requirements a core part of your business process will make your customers more aware of issues surrounding security and ensure your business is not the cause of an unfortunate breach. You can let customers know you are serious about your PCI compliance requirements by:
- Only collecting credit card information on a secure webpage. Look for the lock icon and the “https” in the browser bar. (When you collect online payments with PaySimple, you can be confident that they are secure.)
- Ensuring your payment processing system is PCI compliant and keeping your business certified.
- Always asking for the CVV security code when processing a telephone or online payment. Your payment processing method should never store this information.
- Telling your customers that they should never send credit card or bank account numbers via regular email. You can include a security notice in the footer of your emails that the communication is not secure and to not reply with account numbers or other sensitive personal information.
Learn More About PCI Compliance With PaySimple
For additional information about PCI compliance and why you need to become compliant, read our PCI Compliance FAQs.
PaySimple also has a special arrangement with Vantiv (NPC) that enables us to offer most Level 4 MOTO merchants a greatly simplified PCI Compliance program. To complete your PCI compliance certification as a Vantiv (NPC) credit card processor customer, follow these guidelines to complete your annual PCI certification: PCI Compliance Vantiv
To complete your PCI compliance certification as a NAB credit card processor customer, use the steps outlined to complete your annual PCI certification: PCI Compliance NAB
It’s time to learn more about how PaySimple can help with your annual PCI compliance requirements. Start a free trial to accept credit cards seamlessly and securely with PaySimple:
Start a 14 day Free Trial to accept credit cards seamlessly and securely with PaySimple: