If your business accepts credit card payments, you need to maintain PCI compliance—no matter how small your transaction volume is.
Despite the threat of PCI noncompliance fees, small businesses often make the mistake of assuming they don’t need to worry about data security because they won’t catch the attention of hackers. Media coverage of high-profile breaches like the ones that affected Target and Marriott might suggest that hackers prefer larger targets, but in fact, hackers frequently set their sights on small businesses. Vulnerable businesses require little effort to exploit, and the credit cards used to make purchases from small businesses are just as viable as those used to make purchases from larger ones.
What is PCI compliance?
A PCI-compliant business is one that adheres to the PCI-DSS, a set of rules that govern credit card acceptance procedures. These rules were created by the PCI Security Standards Council, a group composed of the five major card brands (American Express, Discover, JCB, MasterCard, and Visa).
The PCI Security Standards Council created these requirements in order to “help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide that use their cards every day.”
The PCI-DSS groups businesses into categories based on the number of credit card transactions they process in a 12-month period. Each category, or level, carries slightly different requirements for PCI compliance. A Level 1 business, one that processes over six million credit card transactions annually, will have to undergo more stringent validation than a Level 4 business that processes less than 20,000 transactions annually. However, every level requires businesses to:
- Complete a Self-Assessment Questionnaire (SAQ) every year
- Submit an Attestation of Compliance (AOC) form every year
- Conduct a network scan offered by an Approved Scan Vendor (ASV) every quarter
Who charges PCI noncompliance fees?
If your business doesn’t meet these requirements, you may find recurring PCI noncompliance fees on your monthly credit card processing statements. These range from $10 to $100 and are leveraged by your credit card processor as a means of incentivizing compliance, like a police officer giving a ticket instead of making an arrest. But for small businesses, these recurring wrist-slaps can quickly add up.
The card brands themselves do not charge or regulate noncompliance fees. In the event of a breach, however, Visa and MasterCard may impose fines for PCI noncompliance. These are hefty one-time charges designed to discourage future occurrences of noncompliance-related fraud. When you’re likely already struggling to recoup losses and control damage, these charges can inflict the kind of insult to injury that spells disaster for your business. Even if you can afford to pay a penalty of up to $500,000, you may have your merchant account revoked and be denied the ability to process credit cards.
In the same way an at-fault accident increases insurance rates and liability, a data breach creates long-term repercussions by exposing your business’ vulnerabilities and undermining your trustworthiness as a merchant. Most organizations that experience these losses never fully recover. Knowing the fees you might face and the risk of fraud you’re running if you don’t take the necessary steps to achieve PCI compliance, why wouldn’t you choose to be compliant?
How does a business become PCI compliant?
At face value, the PCI compliance process seems complicated (but stay with us—it’s not as demanding as it looks!). There are 12 main requirements, grouped into six categories.
An internet search for the appropriate steps to take turns up lists like the following from CardFellow:
- Perform a risk assessment: Figure out what threats your organization faces, the vulnerabilities in your environment, the likelihood that threat events will occur, and the magnitude of impact should they happen.
- Determine your scope: Identify the people, processes, and technologies that interact with or could affect the security of cardholder data and create a flow diagram for all in-scope networks to help you properly understand the PCI scope of your environment.
- Segment your network: Physically or virtually separate systems that store, process, or transmit card data from those that don’t. Segmentation that meets the PCI DSS definition can be difficult, especially if you don’t have a technical security background. Engage a security professional to double-check your work.
- Run regular vulnerability scans and penetration tests: Consistently check for security holes to find potential issues before they become bigger problems.
- Focus on employee training: Create tailored security training for individual employee roles and train your employees monthly instead of yearly.
- Document everything: Document policies and procedures, the results of a formal risk assessment, and whenever you make changes to your organization’s security. Review the documentation often to make sure it offers a clear, auditable trail.
- Work with a security professional: Always consult a security professional with any update to the PCI-DSS. If you’re a small business, you likely won’t need a PCI DSS audit, but you should still talk to a PCI professional to make sure you’re on the right path to PCI compliance.
When you’re busy running a business, additional tasks like creating flow diagrams and employee training programs can seem like an ineffective use of time and resources. But if you’re paying PCI noncompliance fees, you’re already unnecessarily losing resources—and putting your business in jeopardy.
Don’t go it alone
Fortunately, there’s a simple solution to your PCI compliance headaches. Say goodbye to credit card processors that charge you noncompliance fees without helping you meet the standards. Instead, choose one that uses a cloud-based payment gateway with data security measures like tokenization, which stores a representative token in your system in place of an actual credit card number. You can still run credit card transactions—even recurring ones—using these tokens, but you won’t be liable for the loss of sensitive data. If your system is compromised, the tokens created specifically for your payment gateway will be unusable anywhere else.
Many credit card processors say they offer PCI compliance services, but some companies use this promise as an excuse for slipping extra fees into your monthly statements. Find a reputable processor that guarantees 100% PCI compliance by utilizing the latest in payment security and storing sensitive data off-site, like EBizCharge from Century Business Solutions. If the company says it provides security scans and/or insurance, make sure you’re getting your money’s worth. Otherwise, ask for the removal of those services.
Be proactive to protect what matters
Data breaches may seem like far-off threats, but don’t be lulled into a false sense of security. Fraud creates a trickle-down effect with wide-ranging consequences. Customers whose information is compromised may find their credit scores negatively impacted, which will lower their credibility with financial institutions. Those customers won’t choose to transact with your business again and may tell other people not to as well, which will decrease your business’ sales volume and may force you to let employees go and, worst-case scenario, close up shop.
PCI compliance not only mitigates your liability and negates your risk of receiving fines and fees, it also demonstrates your trustworthiness as a business and your commitment to earning your customers’ respect. By maintaining PCI compliance, you support the greater community of both large and small businesses, and help ensure the continued health of your business.
Ready to set PCI compliance on cruise control? Find out how EBizCharge handles the heavy lifting so you can focus on what matters to you: establishing a business that will stand the test of time.