PCI compliance 101 for your business
Payment security should be at the forefront of all business owner's minds. Not only are cyberattacks on the rise, damaging the reputation of companies that suffer a data breach, but payment fraud is on the up too. Over the last ten years, payment fraud has tripled from $9.84 billion to $32.39 billion globally.
PCI compliance helps keep your customer's data safe and protects your business against criminals using your customer's data to purchase goods and services fraudulently. But how does PCI compliance work?
Is PCI Compliance required for small businesses?
In short, yes. The Payment Card Industry Data Security Standard (PCI DSS) is required for any business that accepts, processes, stores, or transmits credit card information. The major payment card brands (American Express, Visa, MasterCard, JCB International, and Discover) set up the PCI DSS to help prevent payment card fraud and ensure that consumers’ personal information remains secure.
Those who handle this kind of payment information in any way without being PCI-compliant can face severe penalties (more on this later). So whether you are setting up a small restaurant business or a global online retailer, you need to put in the work required to ensure you meet the standard regardless of the size of your operation.
While the size of your business does not matter, the number of transactions your business facilitates does since it will determine which level of PCI compliance you need to obtain. There are four levels which are defined as below:
Level 1 Merchant
Merchants that process more than 6 million credit or debit card transactions annually, including in-store, online, or a mixture of both.
Any merchant Visa determines should be a Level 1 merchant to minimize risks to the Visa network.
Level 1 merchants need to submit a Report on Compliance (ROC) to prove that they are compliant, which must be validated by a Qualified Security Assessor (QSA)
Level 2 Merchant
Merchants processing between 1 million and 6 million credit or debit card transactions per year (regardless of the processing channel, e.g., in-store credit card machine, online, etc.)
Level 3 Merchant
Any merchant that processes 20,000 to 1 million credit or debit cards from e-commerce transactions annually
Level 4 Merchant
Any merchant that processes less than 20,000 e-commerce transactions annually
How can I become PCI compliant?
It can seem scary to shoulder such a significant security burden when you are a small business owner trying to get your fledgling venture off the ground. Doing everything required on the PCI compliance 12-step checklist can run into hundreds of thousands of dollars.
Those steps include:
- Implementing firewalls to protect data
- Ensuring appropriate password protection
- Protecting cardholder data
- Encrypting transmitted cardholder data
- Utilizing antivirus software
- Updating software and maintaining security systems
- Restricting access to cardholder data
- Assigning Unique IDs to those with access to data
- Restricting physical access to data
- Creating and monitoring access logs
- Testing security systems regularly
- Creating a policy that is documented and that can be followed
Do I need to pay for PCI compliance?
That depends on the solution you opt for. If you choose a specific third-party provider to take care of your PCI compliance, you can expect to pay an ongoing fee for their services.
You could take matters into your own hands and opt for a DIY approach. However, the cost of obtaining and subsequently maintaining your PCI compliance would likely cost close to half a million dollars in the first year alone, making it cost-prohibitive for most businesses.
Is there any punishment if I am not PCI compliant?
Yes, and those punishments are severe. While the PCI compliance standard is an obligation rather than a law, enforcement is handled by the card networks (via your acquiring bank) with hefty fines for any business found to be non-compliant.
Small businesses could expect to face charges of between $5,000 and $100,000 if found in breach of the PCI compliance requirements and found responsible for a payments data breach. Worse, these fines can be issued monthly until the problems surrounding compliance are rectified, and you will have to foot the bill for card replacement costs, forensic audits, reputational damage, and several other costs.
Most companies would never recover from the potential costs caused by an insecure payment security infrastructure. While you might not necessarily receive fines for merely being non-compliant, the risks associated with being in that position are simply too significant for your business.
Choose POSTRON for Your PCI Compliance Requirements Today
With the threat of data breaches at an all-time high, business owners need to do everything they can to ensure they meet the requirements of the PCI DSS to ensure they protect themselves and their customers. However, with the costs involved in obtaining and maintaining PCI-compliant status, you should look for a provider that shoulders that responsibility for minimal costs.
At POSTRON, all the POS devices are PCI compliant. Furthermore, we provide detailed instructions on PCI compliance once you purchased the POS devices, allowing you to worry about your core business activities.
Please speak to a team member to learn more about our industry-leading POS system, complete with baked-in payment security features, or book a free demo to see for yourself.