Payment Card Industry (PCI) compliance refers to the data security standards that businesses must adhere to if they capture, process, transmit, or store credit or debit card information. Also known as the Payment Card Industry Data Security Standard (PCI DSS), these guidelines are created and enforced by the PCI Security Standards Council (PCI SSC).
Properly protecting your business from security breaches potentially saves you tens of thousands of dollars or more in lost income.
In this PCI compliance guide:
As credit card usage expanded around the turn of the century, each major card brand (Visa, Mastercard, Discover, and American Express) developed their own systems for protecting against fraud. Soon, however, these card brands united to create an industry-wide standard for protection, called the PCI DSS. The first iteration was launched in 2004 and has undergone many revisions to stay current. The most recent version (4.0) was launched on March 31, 2022.
To establish and maintain PCI compliance, there are 12 basic requirements every business needs to meet. Below is an excerpt from the official Requirements and Security Assessment Procedures, which you can find on the PCI website.
Goal 1: Build and maintain a secure network and systems.
Goal 2: Protect account data.
Goal 3: Maintain a vulnerability management program.
Goal 4: Implement strong access control measures.
Goal 5: Regularly monitor and test networks.
Goal 6: Maintain an information security policy.
PCI DSS 4.0 exists for the same reason as previous iterations – i.e., to continue to address emerging threats and technologies and to help safeguard sensitive payment data. How it achieves this, however, differs slightly from earlier data security standards.
Below are some high-level explanations of some of the changes to the latest PCI compliance updates.
Note, however, that version PCI DSS 3.2.1 is still in effect and will retire starting March 31, 2024. There are some future dated requirements that are best practice until enforceable starting March 31, 2025.
Becoming (and remaining) PCI compliant carries a range of costs. What you can expect to pay depends on your merchant level, which is dependent on variables such as:
There may be additional costs associated with employee training, for example, which is voluntary for smaller organizations, but often required for larger ones. Upgrading magstripe POS terminals with more secure EMV-enabled readers also carries expenses. The same is true for eCommerce merchants that protect their visitors by adding Secure Sockets Layer (SSL) certificates to their sites. Of course, there are direct PCI compliance fees – normally calculated and charged by your payment processor.
These variables make it difficult to provide an exact “cost” for PCI compliance. However, smaller organizations can expect to pay $300 to $500 annually to become and remain compliant. By contrast, a multinational enterprise might need to spend $70,000 to $100,000 a year to remain in good standing.
However, the real costs come from non-compliance. Even if fraud never occurs in your organization, failure to meet the data security guidelines could result in penalties ranging from $5,000 to $100,000 – per month – until the issues have been fixed. If fraud happens, you may have to cover financial losses. Data breaches can often lead to expensive legal battles and investigations – not to mention diminished consumer confidence and fewer sales.
Now that you know the goals and requirements of PCI DSS, what should you do with that knowledge? Your business will be assessed against these security guidelines whether you like it or not. So, it’s best to understand how it can impact your day-to-day tasks and responsibilities.
If you’re using a point-of-sale device (POS) that’s more than a few years old, chances are it’s not protecting you against potential threats in adherence to current security standards.
One way to simplify your security is to start with a modern POS, specifically one that is PCI PTS (Payment Card Industry PIN Transaction Security) certified. Think of PTS certification like PCI compliance for payment terminals. POS providers like Clover that provide payment terminals can submit their machines for inspection and certification to make sure that a third party will not be able to access cardholder and PIN information.
All Clover point-of-sale devices are PTS certified, taking much of the burden of PCI compliance off of busy merchants. One of the critical points of PTS certification is point-to-point encryption (P2PE). Having built-in P2PE, as merchants with most Clover POS systems do, will make the entire process of certifying PCI compliance much easier.
If you cobble together your own payments processing, or use non-P2PE devices, you can hire outside PCI compliance consultants to survey your business and adapt your systems to meet the basic requirements. It may seem like avoiding a modern POS system will reduce costs, but when you’re planning your budget, be sure to factor in the cost of compliance consultants. It can quickly add up.
PCI compliance is assessed in two ways: Self-Assessment Questionnaires (SAQs) and audits. Generally, businesses are required to submit SAQs annually and are audited quarterly to ensure compliance.
Answering a questionnaire once a year many not sound that complicated, but how your business is structured and the number of credit card transactions you process dictate which of the 8 different SAQs you will have to complete.
What might initially seem like a simple checklist of requirements can balloon into over 200 questions examining things like your networks, login systems, and data storage. Here are a few items from the full questionnaire for merchants who aren’t P2PE certified:
These questions are difficult and often time-consuming to address. If you choose to work with a Clover POS system, you get to bypass most of them. The P2PE-certified hardware Clover builds includes multiple CPUs to protect data, even in the case of a virus being introduced to the system. Its high-level encryption protects customer information from the moment it is captured until it’s through the payment gateway. With this level of security built in, the PCI questionnaire merchants will have to complete is reduced to as few as five questions from 200+. And with add-ons like Clover Security, you can access a team of people who will help you across the finish line to PCI compliance!
In addition to your annual SAQ, you’ll also have to complete 4 system audits each year. If you are PCI compliant, these electronic audits will be a breeze. If you’ve cut a few corners thinking it will save you time or money, be prepared for an unnecessary headache.
If you use the services of Clover Security, you’ll get automated reminders to schedule and complete these audits as well as a guided questionnaire to complete your SAQ . That means you can spend more time running your business, and less time worrying about how to protect your payment data.
While you might be tempted to ignore the PCI compliance requirements, you run the risk of being hacked, losing customers, incurring fines, and potentially losing the privilege of accepting credit cards at all.
There are many ways you can end up non-compliant. Here are just a few:
You may think small businesses don’t attract hackers the way larger corporations do. While the press usually only covers data breaches for larger businesses, PCI compliance for small business owners is more important, since merchants from this category are often the most vulnerable to fraud attacks.
The numbers don’t lie: 43% of cyber attacks target small businesses. Furthermore, 60% of small and medium businesses that suffered data breaches were out of business within six months. Hackers know that the smaller the business, the less likely it is to have staff dedicated to security, leaving potential gaps for remote access, malware, or malicious code.
The formal penalties associated with PCI non-compliance are not exorbitant. Standard fines are about $20 per month, although each service provider has a right to set penalty rates at their own discretion. But these fees are just the tip of the iceberg when it comes to the real costs.
If your small business is hacked, the average loss is calculated as high as $79,841. Can your business afford to have nearly $80K disappear overnight? That’s a whopping figure for most merchants, and explains why so many victims of hacking end up closing shop in less than half a year.
On top of that, non-compliance may result in credit card companies revoking your privileges. If you cannot accept credit cards, or develop a reputation for sub-standard security, it’s probably game over for your business.
Most small merchants open a business because they are passionate about their products and services. Chances are you aren’t also passionate about jumping through the hoops of PCI compliance. But now that you understand the value of compliance, where should you begin?
Merchants are placed into different compliance levels based on the volume and type of transactions they process. Most small to medium businesses fall into Merchant Level 4: merchants processing fewer than 20K e-commerce transactions per year, and all other merchants processing up to 1M transactions per year. Your Merchant Level, along with other information about how your payments system is configured, determines which SAQ you will need to complete.
There was a time when a cash register and a product was all you needed to get a business launched. But if you are going to accept credit cards, you’ll need to partner with a credit card processor. Modern POS systems bundle processing together with other merchant services to make sure your business is set up for success.
With a POS system like Clover, you get a lot of compliance right out of the box. With PTS-certified equipment and P2PE encryption, you’ll have very little to manage to keep your PCI compliance in good standing. And if you partner with Clover Security, you’ll get automatic reminders, as well as support, to complete your audits and SAQs as needed.
Businesses of any size are at risk of hackers and data breaches that could ruin all you have worked for. PCI compliance can be complicated, but if you have the right partners for payments processing and work to keep your business compliant, you can rest easy knowing that you’re protected. Continue to educate yourself about evolving standards, and show your customers you care about their safety, too. You have a duty to protect your customers’ data, and Clover is here to help.
This information is provided for informational purposes only and should not be construed as legal, financial, or tax advice. Readers should contact their attorneys, financial advisors, or tax professionals to obtain advice with respect to any particular matter.