Our site uses cookies to improve your experience. For information on our cookie policy please view our Privacy Policy.

What is PCI compliance?

Editorial Team

9 min read
Holding phone over Clover Flex

Share:

Payment Card Industry (PCI) compliance refers to a security standard designed to protect customer data in credit/debit transactions. The PCI DSS (Payment Card Industry Data Security Standard) was established to strengthen payments systems against potential data breaches. Certain PIN Transaction Security (PTS) devices are designed to meet certain PCI compliance requirements automatically, to make strong security easier to achieve for businesses of all sizes.

Properly protecting your business from security breaches potentially saves you tens of thousands of dollars or more in lost income.

In this guide:

  • PCI Basics
  • Demystifying PCI CSS compliance and PCI PTS certification
  • Consequences of PCI non-compliance
  • Making sure your small business is PCI compliant

PCI Basics

As credit card usage expanded around the turn of the century, each major processor (Visa, MasterCard, Discover, and American Express) developed their own systems for protecting against fraud. Soon, however, these processors united to create an industry-wide standard for protection, called the PCI DSS. The first iteration was launched in 2004 and has undergone many revisions to stay current. The most recent version (3.2.1) was launched in May 2018.

To establish and maintain PCI compliance, there are 12 basic requirements every business needs to meet. Below is an excerpt from the official Requirements and Security Assessment Procedures, which you can find on the PCI website.

PCI DSS version 3.2.1

Goal 1: Build and maintain a secure network and systems.

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Goal 2: Protect cardholder data.

  • Requirement 3: Protect stored cardholder data.
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Goal 3: Maintain a vulnerability management program.

  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
  • Requirement 6: Develop and maintain secure systems and applications.

Goal 4: Implement strong access control measures.

  • Requirement 7: Restrict access to cardholder data by business’ need to know.
  • Requirement 8: Identify and authenticate access to system components.
  • Requirement 9: Restrict physical access to cardholder data.

Goal 5: Regularly monitor and test networks.

  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processes.

Goal 6: Maintain an information security policy.

  • Requirement 12: Maintain a policy that addresses information security for all personnel.

Demystifying PCI DSS compliance and PCI PTS certification

Now that you know the goals and requirements of PCI DSS, what should you do with that knowledge? Your business will be assessed against this standard by credit card companies whether you like it or not. So it’s best to understand how it can impact your day-to-day tasks and responsibilities.

Using PCI PTS certified devices

If you’re using a point-of-sale device (POS) that’s more than a few years old, chances are it’s not protecting you against potential threats in adherence to current security standards.

One way to simplify your security is to start with a modern POS, specifically one that is PCI PTS (Payment Card Industry PIN Transaction Security) certified. Think of PTS certification like PCI compliance for payment terminals. Businesses like Clover that provide payment terminals can submit their machines for inspection and certification to make sure that a third party will not be able to access card holder and PIN information.

All Clover point-of-sale machines are PTS certified, taking much of the burden of PCI compliance off of busy merchants. One of the critical points of PTS certification is point-to-point encryption (P2PE). Having built-in P2PE, as merchants with most Clover POS systems do, will make the entire process of certifying PCI compliance much easier.

Avoiding hidden costs

If you cobble together your own payments processing, or use non-P2PE devices, you can hire outside PCI compliance consultants to survey your business and adapt your systems to meet the basic requirements. It may seem like avoiding a modern POS system will reduce costs, but when you’re planning your budget, be sure to factor in the cost of compliance consultants. It can quickly add up.

Assessing and reporting your PCI compliance

PCI compliance is assessed in two ways: Self-Assessment Questionnaires (SAQs) and audits. Generally, businesses are required to submit SAQs annually and are audited quarterly to ensure compliance.

Answering a questionnaire once a year many not sound that complicated, but how your business is structured and the number of credit card transactions you process dictate which of the 8 different SAQs you will have to complete.

What might initially seem like a simple checklist of requirements can balloon into over 200 questions examining things like your networks, login systems, and data storage. Here are a few items from the full questionnaire for merchants who aren’t P2PE certified:

  • Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment?
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?
  • Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?

These questions are difficult and often time-consuming to address. If you choose to work with a Clover POS system, you get to bypass most of them. The P2PE-certified hardware Clover builds includes multiple CPUs to protect data, even in the case of a virus being introduced to the system. Its high-level encryption protects customer information from the moment it is captured until it’s through the payment gateway. With this level of security built in, the PCI questionnaire merchants will have to complete is reduced to as few as 5 questions from 200+. And with add-ons like Clover Security, you can access a team of people who will help you across the finish line to PCI compliance!

In addition to your annual SAQ, you’ll also have to complete 4 system audits each year. If you are PCI compliant, these electronic audits will be a breeze. If you’ve cut a few corners thinking it will save you time or money, be prepared for an unnecessary headache.

If you use the services of Clover Security, you’ll get automated reminders to schedule and complete these audits as well as a guided questionnaire to complete your SAQ . That means you can spend more time running your business, and less time worrying about how to protect your payment data.

Consequences of PCI non-compliance

It’s possible to operate a business without being PCI compliant, but there are potentially serious consequences. If you either refuse to meet current standards or neglect maintaining compliance, you run the risk of being hacked, losing customers, incurring fines, and potentially losing the privilege of accepting credit cards at all.

What non-compliance looks like

There are many ways you can end up non-compliant. Here are just a few:

  • Not filling out your annual SAQ (Self-Assessment Questionnaire)
  • Filling out your annual SAQ incompletely and/or inaccurately
  • Failing to complete quarterly network audits
  • Not taking recommended steps provided by PCI compliance experts
  • Sharing login information or usernames among employees
  • Using default passwords for any of your networks or equipment
  • Using a public wifi for some of your transactions if you have a network issue, or are off-site

Are small businesses at risk of hacking?

You may think small businesses don’t attract hackers the way larger corporations do. While the press usually only covers data breaches for major businesses, small merchants also run a high risk if they neglect compliance.

The numbers don’t lie: 43% of cyber attacks target small businesses*. Furthermore, 60% of small and medium businesses that suffered data breaches were out of business within 6 months†. Hackers know that the smaller the business, the less likely it is to have staff dedicated to security, leaving potential gaps for remote access, malware, or malicious code.

Costs of non-compliance

The formal penalties associated with PCI non-compliance are not exorbitant. Standard fines are about $20 per month, although each service provider has a right to set penalty rates at their own discretion. But these fees are just the tip of the iceberg when it comes to the costs.

If your small business is hacked, the average loss is calculated as high as $79,841‡. Can your business afford to have nearly $80K disappear overnight? That’s a whopping figure for most merchants, and explains why so many victims of hacking end up closing shop in less than half a year.

On top of that, non-compliance may result in credit card companies revoking your privileges. If you cannot accept credit cards, or develop a reputation for sub-standard security, it’s probably game over for your business.

Making sure your small business is PCI-compliant

Most small merchants open a business because they are passionate about their products and services. Chances are you aren’t also passionate about jumping through the hoops of PCI compliance. But now that you understand the value of compliance, where should you begin?

Know your PCI compliance level

Systems are placed into different compliance levels based on the volume and type of transactions they process. Most small to medium businesses fall into Merchant Level 4: merchants processing fewer than 20K e-commerce transactions per year, and all other merchants processing up to 1M transactions per year. Your Merchant Level, along with other information about how your payments system is configured, determines which SAQ you will need to complete.

Choosing the right POS system affects your PCI compliance

There was a time when a cash register and a product was all you needed to get a business launched. But if you are going to accept credit cards, you’ll need to partner with a credit card processor. Modern POS systems bundle processing together with other merchant services to make sure your business is set up for success.

With a POS system like Clover, you get a lot of compliance right out of the box. With PTS-certified equipment and P2PE encryption, you’ll have very little to manage to keep your PCI compliance in good standing. And If you partner with Clover Security, you’ll get automatic reminders, as well as support, to complete your audits and SAQs as needed.

Conclusion

Businesses of any size are at risk of hackers and data breaches that could ruin all you have worked for. PCI compliance can be complicated, but if you have the right partners for payments processing and work to keep your business compliant, you can rest easy knowing that you’re protected. Continue to educate yourself about evolving standards, and show your customers you care about their safety, too. You have a duty to protect your customers’ data, and Clover is here to help.

*https://smallbiztrends.com/2017/01/how-to-protect-your-small-business-against-a-cyber-attack.html

https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html

https://smallbiztrends.com/2018/12/cost-of-a-cyber-attack-small-business.html

Recent Stories

Popular Topics