You may have heard the term PCI compliance while researching how to accept customer credit and debit cards as a form of payment, but if you’re not quite sure what PCI compliance entails, you’re not alone.
Here are some commonly asked questions about PCI compliance, and how it relates to your business.
What is PCI compliance?
PCI stands for “payment card industry.” PCI compliance refers to a set of standards that were established in 2006 by the Payment Card Industry Security Standards Council (PCI SSC), an independent organization made up of representatives from the major brands in transaction processing, including Visa, MasterCard, American Express, Discover, and JCB. The standards were designed to ensure that any organization that interacts with sensitive payment information maintains the highest level of security during transaction processing.
Is it illegal to not be PCI compliant? You are not legally required to be PCI compliant to process credit and debit card payments — but you expose your business and customers to great risk if you’re not. In fact, your business could be subject to thousands of dollars in fines, fees, and potentially lawsuits, according to PCIComplianceGuide.org (depending on the nature and severity of the breach if you’re found not to be PCI compliant and a breach occurs).
What is sensitive data? Sensitive data technically refers to a customer’s 16-digit account number (PAN, or personal account number), and/or a full PAN alongside a customer’s name, expiration date, service code; as well as the information on a card’s magnetic strip, PINs, and security codes. All must be protected by a business to be PCI compliant, under the PCI SSC’s standards.
What size does my business have to be to require PCI compliance? Any business that accepts credit cards or debit cards is required to be PCI compliant. As the experts at PCIComplianceGuide.org explain, breaches commonly impact small merchants and home-based businesses; hackers perceive them as the “path of least resistance” in terms of security.
With that said, PCI compliance assigns specific standards based on the volume of transactions your business processes over 12 months. Many small- to medium-sized businesses fall into “Level 4,” which applies to merchants that process fewer than 20,000 Visa e-commerce transactions in that time, or up to 1 million Visa transactions in any other sales channel.
How do I verify that I’m PCI compliant? Whether you process most of your transactions using mobile payments, a third-party payment gateway to securely process online sales, or have a fixed or mobile point-of-sale terminal, it’s important to ensure that you use only payment processors that guarantee PCI-compliant processing before, during, and after the transaction. Additionally, PCI compliance outlines processes about how your staff handles payment data (it should never be recorded on paper or sent in an email, for example), and the security of your internal servers and networks.
PCI compliance also requires that you monitor POS terminals and payment processing devices to confirm that they have not been tampered with, and perform internal and external vulnerability scans, every quarter. According to the PCI SSC, these scans should also confirm that external connections — like firewalls and internal network security, applications, and portable computer devices — are secure and free of malware. You can hire approved scanning vendors (ASVs) to assist in the scan and validation process.
Does PCI compliance mean I can’t use recurring billing? While the experts at PCIComplianceGuide.org do not encourage storing sensitive data, businesses that use a subscription-based model can be PCI compliant by ensuring they use appropriate encryption technologies to protect information used for the purpose of recurring billing. Small businesses can hire qualified security assessors (QSAs) to help confirm information is indeed secure.
Accepting credit and debit cards allows you to meet customers’ expectations for how they can pay, but handling sensitive payment data comes with a high degree of risk and responsibility on the part of merchants. The more familiar you are with the basics of PCI compliance, the better equipped your business is to maintain the security you need to serve customers, and stay protected from the risk of a breach.
Author bio: Kristen Gramigna is Chief Marketing Officer for BluePay, a credit card processing firm. She has more than 20 years experience in the bankcard industry in direct sales, sales management, and marketing. Follow her on Twitter at @BluePay_CMO.