Thanks to online payment processing solutions like QuickBooks, it’s never been easier for SMBs to accept payment cards. But accepting debit/credit cards comes with its own set of best practices, regulations, and compliance responsibilities.
Among others, you must practice payment card industry (PCI) compliance.
PCI compliance, or payment card industry compliance, refers to a set of 12 security standards that all SMBs must use when accepting, transmitting, processing, and storing credit card data.
What is PCI Compliance
In 2004, the Payment Card Industry (Visa, MasterCard, American Express, and Discover) created an independent organization that manages PCI security standards. The enforcement of these standards falls to the card networks and payment processors.
PCI compliance refers to a data security standard, often written as PCI DSS. It is a global set of security standards for handling payment card data and helps companies keep the transfer and storage of client payments as safe as possible from hackers and other unauthorized access.
Although the foundational framework of PCI-DSS has remained the same since its inception, numerous incremental changes and improvements have occurred over time. The most recent version is PCI DSS 4.0. Version 4.0 was released in March 2022 and has an implementation deadline of March 31, 2024.
What Are the Requirements for PCI Compliance?
The PCI Security Standards Council has 12 requirements to guarantee PCI compliance:
-
Install and maintain a firewall.
-
Change vendor-supplied default passwords and other security settings.
-
Safeguard the credit card information you store.
-
Encrypt cardholder data.
-
Keep your (security) software up to date.
-
Develop security systems and processes and update them.
-
Restrict digital access to data about cardholders, even internally.
-
Assign unique access IDs.
-
Limit physical access to cardholder data, even among people on your team.
-
Monitor every time cardholder data or your network is accessed.
-
Have policies on information security.
-
Continuously test/audit your system security.
We use QuickBooks, so we’re all set. Right?
Unfortunately, no. While applications such as QuickBooks, Square, and Paypal are secure, other applications on your local computer/network can still compromise the security of your environment.
While using PCI-compliant payment applications is critical, it only means that pieces of the transaction processing chain are compliant. You still need to ensure that your firewall secures your online access, that the passwords you use are long and unique, that only authorized team members have access to your payment accounts, that you regularly update your browser, anti-virus, and other security software, etc.
What PCI Requirements Apply to My Business?
Every company that accepts credit and debit cards must follow PCI DSS, no matter the volume of transactions it processes or the business size (although the PCI SSC does help small businesses).
However, there are four levels of compliance, depending on the number of transactions your business processes annually. These levels determine what actions you must take to comply; the more transactions, the more necessary measures.
Use these five steps to help guide your business through the compliance process.
-
Determine your business’s relevant PCI compliance level by performing an audit to identify the cardholder data you are responsible for. This will help determine what actions you must take to become compliant.
-
Take stock of your IT assets and evaluate your processes for securing payment data. Scrutinize these aspects of your business operations for potential vulnerabilities that malicious actors could exploit to purloin cardholder data and note any compliance gaps. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements.
-
Take steps to fill in gaps and eliminate vulnerabilities in your system.
-
Once you have a well-documented system that adequately addresses all 14 PCI DSS standards, you can complete a Self-Assessment Questionnaire (SAQ).
-
Ensure your compliance reports are submitted to the relevant banks or card brands you engage with (e.g., Visa, MasterCard, American Express, or Discover). This proactive step will prevent the accumulation of penalties or fees that could arise from failing to maintain PCI compliance.
It is important to note that only Level 1 merchants and service providers (processing more than 6 million transactions annually) must have their PCI compliance validated by a Qualified Security Assessor (QSA). All others can confirm compliance by performing a Self-Assessment Questionnaire (SAQ) before requesting an Attestation of Compliance (AOC).
What Are The Consequences Of Non-Compliance?
Although merchant PCI compliance is not determined or enforced by the government and can be a hassle to implement and maintain, compliance gives peace of mind. It is not just about following rules, but it actively helps protect your business from data breaches, violations, and (long-term) financial consequences.
Consider this:
Dealing with a data compromise is a time-consuming and expensive hassle from both a consumer’s and a business owner’s perspective.
Monthly penalties imposed by payment processors for non-compliance range from $5,000 per month to $100,000.
Banks can terminate your merchant account for coming short of PCI DSS, preventing you from taking card payments.
Regulatory bodies, payment card brands, and acquiring banks can impose substantial fines on non-compliant organizations.
Non-compliance and consequential data breaches can also lead to legal, financial, and reputational repercussions, as the fallout from a breach can damage customer trust, lead to customer attrition, and harm your brand’s reputation.
PCI DSS Compliance Takes Work.
Assessing the PCI components, documenting procedures, conducting ongoing risk assessments, addressing gaps, and performing SAQs is a massive undertaking. However, protecting cardholder data from fraud and building trust so your customers feel comfortable using their credit cards when doing business with you are worth the work it takes to be(come) compliant.
Thankfully, there is an alternative to the Do-It-Yourself (DIY) path – an option that keeps you safer while taking your compliance and data security problems off your plate. With PCI 4.0 knocking on the door, outsourcing PCI compliance to a compliance-savvy MSP like Meeting Tree Computer is a smart move. With our one-stop-shop data compliance management services, we take care of everything for you. You won’t have to worry about securing, updating, and maintaining anything, and performing a self-assessment questionnaire or hiring a security assessor will all be part of the plan allowing you to focus your time on developing your core business and growing your customer base.