Businesses that use cashless payment systems are at the risk of credit card and debit card data loss. Adhering to PCI compliance standards is the easiest way to protect your customers’ data. It also helps you avoid penalties and fines, which face businesses that violate provisions of the payment card industry (PCI).
The Payment Card Industry Data Security Standard (PCI DSS) stipulates measures that merchants who undertake credit card payments must follow to secure transactions. These provisions aim at reducing the risk of credit and debit card data loss. The organization suggests how breaches can be detected and prevented, as well as how merchants should react when data breaches occur.
What PCI Compliance Levels Apply to Your Business?
In case your company accepts debit or credit cards, PCI compliance is mandatory irrespective of the scale of your operations. Even if you process less than ten credit card transactions annually, you must apply with all applicable PCI standards. Determining the most appropriate PCI compliance level can be tricky for a merchant. You must first know how many debit and credit card transactions your company handles every year.
If your company processes more than six million Visa transactions annually, you are deemed to be a Level 1 merchant. This means you need to undertake a full PCI audit every year. Level 2 merchants who handle 1-6 million Visa transactions every year need to complete PCI-self-assessment annually. This is also the case with Level 3 merchants who process 20,000 to 1 million transactions every year. Furthermore, Level 2 and Level 3 merchants are required to undertake network security scans every quarter.
Small businesses operating at Level 4 PCI Compliance and process less than 20,000 e-commerce transactions or up to one million Visa transactions at the storefront every year, are required to fill out a self-assessment questionnaire (SAQ). These businesses also need to complete an attestation of compliance (AOC) form every year besides conducting a quarterly network scan. If applicable, the network scan needs to be undertaken by an approved scanning vendor (ASV).
Requirements for PCI Compliance
To be considered PCI compliant, you must meet the following criteria.
- PIN pads and credit card terminals that you use should be up-to-date and adhere to PCI DSS standards.
- You shouldn’t store cardholder data, be it saving the information on your computer or jotting down credit card numbers. If your PIN pad and credit card terminal are PCI-compliant, it means that they are programmed to make you compliant with this requirement.
- Strong passwords must be implemented. This can be done by changing default passwords immediately besides requiring your employees to change passwords regularly. Moreover, your network’s wireless router should be password-protected and encrypted.
- Employees must be trained on all aspects of PCI compliance.
- The payment gateway and point-of-sale that you use should be validated and PCI-compliant.
- PIN pads and other PIN entry gadgets should be regularly checked. This will help you ascertain that they are free of skimmers and other devices that can capture credit card info. Computers also need to be checked for any executable or rogue files.
- You should install firewalls on all your computers as well as your internal network. Likewise, ascertain that the firewall on your computer’s operating system is functional.
What is the Cost of PCI Compliance
Becoming PCI-compliant comes at a cost, hence the reason why some business owners think that the process is an unnecessary expense that can be avoided. Nonetheless, PCI compliance has long-term benefits since it proves your commitment to keeping clients’ data secure and private.
The cost of PCI compliance depends on your classification level. For instance, Level 4 merchants who handle few transactions annually can incur as little as $60 monthly. Apart from the classification level of a merchant, other factors that determine the cost of compliance include your software, hardware, vulnerability, and frequency of scans.
If your business is at Level 3, your PCI compliance cost may rise to $1,200 annually. Level 2 businesses may need to cough between $10,000 and $50,000 annually depending on the size of their network and the number of IP addresses. Companies at Level 1 PCI compliance need at least $50,000 every year to audit their systems.
When you factor in the cost of fines and penalties that you’re likely to incur as a result of non-compliance, you will realize that PCI compliance costs are quite low. Businesses that fail to comply with PCI DSS standards can be fined anything between $5,000 to $50,000, notwithstanding legal expenses in case of a lawsuit.
PCI compliance is not something that you can ignore. You should work closely with your payment processor so that you stay compliant. Similarly, make an effort to remain abreast of all laws and regulations relating to PCI compliance. Self-assessments are also essential since they help you pinpoint and correct potential loopholes within your payment environment.