Payment Card Industry (PCI) compliance refers to a security standard designed to protect customer data in credit/debit transactions. The PCI DSS (Payment Card Industry Data Security Standard) was established to strengthen payments systems against potential data breaches. Certain PIN Transaction Security (PTS) devices are designed to meet certain PCI compliance requirements automatically, to make strong security easier to achieve for businesses of all sizes.
Properly protecting your business from security breaches potentially saves you tens of thousands of dollars or more in lost income.
In this guide:
As credit card usage expanded around the turn of the century, each major processor (Visa, MasterCard, Discover, and American Express) developed their own systems for protecting against fraud. Soon, however, these processors united to create an industry-wide standard for protection, called the PCI DSS. The first iteration was launched in 2004 and has undergone many revisions to stay current. The most recent version (3.2.1) was launched in May 2018.
To establish and maintain PCI compliance, there are 12 basic requirements every business needs to meet. Below is an excerpt from the official Requirements and Security Assessment Procedures, which you can find on the PCI website.
Goal 1: Build and maintain a secure network and systems.
Goal 2: Protect cardholder data.
Goal 3: Maintain a vulnerability management program.
Goal 4: Implement strong access control measures.
Goal 5: Regularly monitor and test networks.
Goal 6: Maintain an information security policy.
Now that you know the goals and requirements of PCI DSS, what should you do with that knowledge? Your business will be assessed against this standard by credit card companies whether you like it or not. So it’s best to understand how it can impact your day-to-day tasks and responsibilities.
If you’re using a point-of-sale device (POS) that’s more than a few years old, chances are it’s not protecting you against potential threats in adherence to current security standards.
One way to simplify your security is to start with a modern POS, specifically one that is PCI PTS (Payment Card Industry PIN Transaction Security) certified. Think of PTS certification like PCI compliance for payment terminals. Businesses like Clover that provide payment terminals can submit their machines for inspection and certification to make sure that a third party will not be able to access card holder and PIN information.
All Clover point-of-sale machines are PTS certified, taking much of the burden of PCI compliance off of busy merchants. One of the critical points of PTS certification is point-to-point encryption (P2PE). Having built-in P2PE, as merchants with most Clover POS systems do, will make the entire process of certifying PCI compliance much easier.
If you cobble together your own payments processing, or use non-P2PE devices, you can hire outside PCI compliance consultants to survey your business and adapt your systems to meet the basic requirements. It may seem like avoiding a modern POS system will reduce costs, but when you’re planning your budget, be sure to factor in the cost of compliance consultants. It can quickly add up.
PCI compliance is assessed in two ways: Self-Assessment Questionnaires (SAQs) and audits. Generally, businesses are required to submit SAQs annually and are audited quarterly to ensure compliance.
Answering a questionnaire once a year many not sound that complicated, but how your business is structured and the number of credit card transactions you process dictate which of the 8 different SAQs you will have to complete.
What might initially seem like a simple checklist of requirements can balloon into over 200 questions examining things like your networks, login systems, and data storage. Here are a few items from the full questionnaire for merchants who aren’t P2PE certified:
These questions are difficult and often time-consuming to address. If you choose to work with a Clover POS system, you get to bypass most of them. The P2PE-certified hardware Clover builds includes multiple CPUs to protect data, even in the case of a virus being introduced to the system. Its high-level encryption protects customer information from the moment it is captured until it’s through the payment gateway. With this level of security built in, the PCI questionnaire merchants will have to complete is reduced to as few as 5 questions from 200+. And with add-ons like Clover Security, you can access a team of people who will help you across the finish line to PCI compliance!
In addition to your annual SAQ, you’ll also have to complete 4 system audits each year. If you are PCI compliant, these electronic audits will be a breeze. If you’ve cut a few corners thinking it will save you time or money, be prepared for an unnecessary headache.
If you use the services of Clover Security, you’ll get automated reminders to schedule and complete these audits as well as a guided questionnaire to complete your SAQ . That means you can spend more time running your business, and less time worrying about how to protect your payment data.
It’s possible to operate a business without being PCI compliant, but there are potentially serious consequences. If you either refuse to meet current standards or neglect maintaining compliance, you run the risk of being hacked, losing customers, incurring fines, and potentially losing the privilege of accepting credit cards at all.
There are many ways you can end up non-compliant. Here are just a few:
You may think small businesses don’t attract hackers the way larger corporations do. While the press usually only covers data breaches for major businesses, small merchants also run a high risk if they neglect compliance.
The numbers don’t lie: 43% of cyber attacks target small businesses*. Furthermore, 60% of small and medium businesses that suffered data breaches were out of business within 6 months†. Hackers know that the smaller the business, the less likely it is to have staff dedicated to security, leaving potential gaps for remote access, malware, or malicious code.
The formal penalties associated with PCI non-compliance are not exorbitant. Standard fines are about $20 per month, although each service provider has a right to set penalty rates at their own discretion. But these fees are just the tip of the iceberg when it comes to the costs.
If your small business is hacked, the average loss is calculated as high as $79,841‡. Can your business afford to have nearly $80K disappear overnight? That’s a whopping figure for most merchants, and explains why so many victims of hacking end up closing shop in less than half a year.
On top of that, non-compliance may result in credit card companies revoking your privileges. If you cannot accept credit cards, or develop a reputation for sub-standard security, it’s probably game over for your business.
Most small merchants open a business because they are passionate about their products and services. Chances are you aren’t also passionate about jumping through the hoops of PCI compliance. But now that you understand the value of compliance, where should you begin?
Systems are placed into different compliance levels based on the volume and type of transactions they process. Most small to medium businesses fall into Merchant Level 4: merchants processing fewer than 20K e-commerce transactions per year, and all other merchants processing up to 1M transactions per year. Your Merchant Level, along with other information about how your payments system is configured, determines which SAQ you will need to complete.
There was a time when a cash register and a product was all you needed to get a business launched. But if you are going to accept credit cards, you’ll need to partner with a credit card processor. Modern POS systems bundle processing together with other merchant services to make sure your business is set up for success.
With a POS system like Clover, you get a lot of compliance right out of the box. With PTS-certified equipment and P2PE encryption, you’ll have very little to manage to keep your PCI compliance in good standing. And If you partner with Clover Security, you’ll get automatic reminders, as well as support, to complete your audits and SAQs as needed.
Businesses of any size are at risk of hackers and data breaches that could ruin all you have worked for. PCI compliance can be complicated, but if you have the right partners for payments processing and work to keep your business compliant, you can rest easy knowing that you’re protected. Continue to educate yourself about evolving standards, and show your customers you care about their safety, too. You have a duty to protect your customers’ data, and Clover is here to help.
Make hiring easy with JazzHR
Silver linings in the age of COVID