The Payment Card Industry Data Security Standard (PCI DSS) can be difficult to navigate for even large companies. For a small business owner with limited staff and resources, compliance can be even more confusing. The standards and requirements may seem daunting at first, but they’re an important step in assuring the future of your company. Here are some common questions about PCI compliance for small businesses, and how you can get started.
Do Small Businesses Need to Be PCI Compliant?
Yes. The Payment Cards Industry Security Standards Council was created in 2004 by the major credit card brands to protect their customers from data breaches. The standards that the council set in place are designed to protect a consumer’s name, card number, expiration date, and security code. PCI compliance requires businesses that access card data (either in person or via e-commerce transactions) to store that data on a separate and secure network.
Any business that processes credit card information must be PCI compliant. The industry standards laid out in PCI DSS will not only protect your company from future cybersecurity threats; they also assure that you’ll be able to keep processing credit card payments in the future, too.
What PCI Levels and Requirements Apply to Your Business?
PCI DSS has four levels of compliance—“merchant levels”—which are grouped by the annual volume of your debit card and credit card transactions:
- Level 1 applies to companies that perform more than 6 million Visa, Discover, or MasterCard transactions, or more than 2.5 million American Express transactions, every year.
- Level 2 applies to companies that annually perform 1 million to 6 million Visa or MasterCard transactions, or more than 50,000 American Express transactions.
- Level 3 Applies to companies that annually perform 20,000 to 1 million Visa or MasterCard transactions, and fewer than 50,000 American Express transactions.
- Level 4 applies to companies that annually perform fewer than 20,000 Visa and MasterCard transactions via e-commerce; or fewer than 1 million Visa and MasterCard transactions in total. Level four businesses must also be able to prove that they’ve had no data breaches that affected customer card data.
These levels dictate how your compliance should be performed, but not which of the PCI requirements apply to your particular organization. PCI DSS has 12 primary requirements:
- Install firewalls to protect cardholder data and make sure they are maintained.
- Create unique and strong passwords and other security measures; do not use the default passwords assigned by the system.
- If you are storing cardholder data, make certain that it is well protected.
- Encrypt any transmissions of customer data across open networks.
- Utilize antivirus software and make sure that it is updated regularly.
- Develop secure applications and systems, and maintain them.
- Make sure that employee access to cardholder data is restricted to a need-to-know basis.
- Give employees access to customer data a unique ID.
- Minimize physical access to the data.
- Track and monitor those who are accessing data or network resources.
- Test any controls or processes on a regular basis.
- Integrate parameters for information security into your existing company policy.
Within these 12 categories, there are 281 sub-categories, but not all sub-categories apply to all businesses. A process called scoping can help determine your PCI merchant level and which sub-requirements apply to your specific business.
Most small businesses will fall under merchant levels 2, 3, or 4. Companies designated at Level 1 are subject to a larger and more strict set of guidelines than those at other levels. Small businesses are unlikely to need to comply with those additional standards.
What is needed for PCI compliance?
To determine whether you’re PCI- compliant, you will either need to submit to an audit or complete a self-assessment questionnaire (SAQ). For most smaller businesses (that is, those who aren’t a Level 1 merchant), it’s likely that you can complete the SAQ and avoid a formal audit.
PCI DSS has eight different SAQs. They apply to different kinds of businesses depending on a number of criteria, including how you process credit card information and whether you’re an e-commerce provider or a brick-and-mortar establishment. For example, an SAQ B would be appropriate for your company if you perform in-person sales with terminals or imprint machines that don’t store customer data.
If your organization requires an auditor, a Quality Security Assessor (QSA) will examine your credit card processing system and documentation; and test any controls to be sure that they are effective.
An audit or self-assessment can be an overwhelming experience for a small business owner, and there are programs and services available to guide you through the process and provide documentation of your compliance.
Preparing for your SAQ or audit can save you time and money in the long run. Before you begin, you should define and ideally minimize your scope, assess how well you are already meeting each requirement, test any controls you already have in place, and gather the appropriate documentation.
What happens if a company is not PCI compliant?
The results of non-compliance with PCI guidelines can be catastrophic for a small company. You won’t be breaking any laws, but you may be subject to hefty fines and possible loss of credit card processing privileges.
You’re also leaving your company vulnerable to data breaches and potential lawsuits. The resulting brand damage from failing to protect consumer card data is difficult to survive for most small business owners. Therefore, it’s always best to take the necessary steps to protect yourself and your customers by adhering to industry standards and meeting compliance requirements.