As a small business owner, how often have you asked yourself, “What is PCI compliance, and why is it important?” I would venture to guess not often, and if you have, you probably received a puzzled shrug as a response. If that’s the case, don’t worry, you aren’t alone. A recent study by The Green Sheet found that only about 16% of Level 4 merchants (business who process less than 20,000 transactions annually) were “very familiar” with PCI compliance (more on the study here). That means the other 84% of small business owners probably feel the same way you do. Have no fear; we are here to shed some light onPCI compliance and and why your business should comply; it’s easier than you might think!
The Payment Card Industry Data Security Standards (also known as “PCI DSS,” or just “PCI” for short) are the security standards for any merchant accepting credit card payments. These standards are designed to protect merchants and their customers from breaches that could negatively affect their business and reputation. PCI compliance is a critical part of running a successful business, but is often overlooked by small to medium sized businesses, even though operating in a PCI compliant manner is simply good business. Think about PCI compliance as the golden rule of payment processing—secure others’ payment information as you would your own. You wouldn’t want companies with which you do business to broadcast your credit card information online, throw away papers that have your personal information on it, or let just anyone look at your transaction history, personal profile, and account numbers. You should make sure that you protect your customers with the same vigilance you use to protect yourself. PCI compliance guidelines help you do just that.
At first, PCI compliance may seem overwhelming—even the acronym is a little daunting. There are a lot of complex technical requirements that must be met in order to secure credit card information such as router configurations, data base configurations, encryption keys, access controls, and intensive file monitoring. If your head is spinning right now, then there is just one thing you need to know to simplify the entire PCI process— get a PCI certified company to handle all of your credit card processing, transaction history storage and credit card account storage.
Once you move all data entry, processing, and data storage to a PCI Certified partner, you’re 90% of the way to PCI compliance. Getting the rest of the way there is no problem at all. You simply need to create a security policy for your company and follow it. The key components of this security policy will include:
- Your Company does not store credit card numbers in any digital format. (That means not on your computer, not on a jump drive, not on a server. Remember that the storage is now done by your partner.) This includes recorded phone conversations.
- Your company does not store any paper copies of credit card numbers that contain the CVV2 security code (the 3 digit number on the back of Visa/MasterCard/Discover cards, or the 4 digit number on the front of American Express cards)
- If your company stores paper documents containing credit card information, they must be in a locked file drawer with restricted access on a business need basis.
PaySimple provides a sample security policy that anyone can use here.
For most low-volume merchants, that’s it. For higher volume merchants — those that process more than 1 million transactions per year, or more than 20,000 online transactions per year — a quarterly scan of your systems is also required. There are many services that can perform these scans for less than $100 per year.
Once you’ve got your payment processing and storage partner integrated into your business and your security policy written and implemented, all you need to do is fill out a short form to certify your compliance. You can obtain the correct form from the PCI website here.
Most low-volume merchants (also called “Level 4” merchants), will use the short Self Assessment Questionnaire A (also known as, “SAQ-A”). You are SAQ-A qualified if your business processes transactions by phone, mail, or via the web. If you process retail transactions, SAQ-B is the survey for you. Simply fill out the appropriate survey, making sure that you can truthfully answer “Yes” or “Not Applicable” to all of the questions, and then send it to your merchant processing company. You have now completed your annual PCI Compliance. Keep your survey on file for next year so that you can send it off and attest to your compliance year after year.
Not that difficult, is it? According to Trustwave, an authority on security and payment card industry compliance management solutions, over 80% of merchants are able to achieve PCI Compliance within 12 hours.
So, find a PCI Certified Partner to process your payments to ensure the highest level of security, and set up a security policy for your business and follow it. Then, sit back and enjoy knowing that you’re not only keeping you and your customers as safe as possible, but you can now answer when someone asks, “What is PCI compliance and why is it important?”
*Special thanks to Lisa H. for her help with this post!