However, you still have to maintain and monitor the state of your business’s compliance and report back to your merchant services provider that compliance scans are taking place. In other words, even if you’re a small business, there is a lot to consider with PCI compliance, which is why most businesses end up offloading much of this work to third-party providers or MSPs to handle these issues.
Why PCI Compliance MattersThere are three primary reasons why PCI compliance matters to your business.
- If your business handles customer payment information either directly or indirectly, your business has an obligation to maintain compliance; avoiding compliance will inevitably lead to fines. For average small businesses, these monthly fines usually range between $29–99 per month, which may not sound like much, but it can add up quickly if not attended to. If your business experiences a data breach and you’re found to be non-compliant, however, the fees could escalate to anywhere between $5,000 to $100,000 per month. Regardless, these fees can all be avoided if you maintain compliance.
- Maintaining PCI compliance is a great way to keep your data security in check, which supports your ability to operate within laws surrounding data privacy, such as the General Data Protection Regulation (GDPR) or the Gramm Leach-Bliley Act (GLBA).
- Your customer’s private payment data matters, and when you fail to maintain compliance, you’re putting their well-being at risk. Data breaches tend to be devastating for all parties involved, and it can take years for a company to repair reputational damage.
Understanding PCI SCC Data Security StandardsHere are the 12 requirements for PCI DSS Compliance:
- Your organization must install and maintain a strong firewall to protect customer payment information.
- Don’t settle with vendor-provided default security for passwords and other security parameters. Instead, upgrade to something more secure. For instance, many standard pieces of hardware like routers ship with basic login details, such as the username and password both being “admin” for the sake of convenience when you’re first setting it up—make sure you always update such details to something more secure.
- If your company absolutely must store customer payment information on your own systems, take the necessary precautions to protect those storage systems.
- All incoming and outgoing transmissions involving cardholder data must be encrypted, especially when communicating in open or public networks.
- All antivirus software or programs must be kept up to date.
- If your company develops systems or applications that interact with customer payment information, you must make sure said systems and applications are properly secured.
- Only allow designated parties to access electronic personal payment data.
- Similarly to requirement 7, only designated parties should be granted access to physical personal payment data.
- Each person who has computer access should be assigned a unique ID.
- All-access to personal payment information should be tracked and monitored.
- Your business should run regular tests on your security systems and procedures.
- Be sure to spread awareness/understanding of your information security policies as they relate to PCI DSS compliance. Having security policies isn’t enough—the information must be properly disseminated throughout the entire organization. A good practice is to challenge the strength of your policies annually and then revise them as necessary.
PCI Compliance LevelsThere are four levels of PCI compliance, and which level your business resides in is determined by the volume of credit card transactions per year.
- Level 1 — Your business processes over 6 million Visa and/or Mastercard transactions every year. Obviously, this is quite a bit of data to store, and the repercussions of a breach could be severe, so it’s best to have secure storage for this data and have it backed up. At this level, it’d be worth considering next-generation firewall security.
- Level 2 — Your business processes between 1 million and 6 million Visa and/or Mastercard transactions every year. Although your business is handling less data than at level 1, you should still keep a backup in case a disruptive event were to occur and threaten the data security of your organization.
- Level 3 — Your business processes between 20 thousand and 1 million Visa and/or Mastercard transactions every year. While we still recommend your business keep backups to protect cardholder information, your data storage needs will be less pronounced than in the former two tiers.
- Level 4 — Your business processes less than 20 thousand Visa or Mastercard e-commerce and transactions per year or up to 1 million total credit card transactions with either per year – and also have not suffered a breach that compromised cardholder data.
Securing Customer EmailsEmail is, by its very nature, insecure. As we’ve mentioned in our article on email security, you should never send sensitive information, such as cardholder data, through email in an unencrypted state. Instead of communicating sensitive cardholder data to your customers over email, we recommend using a secure payment platform that can store card data in a secure and PCI-compliant manner.
What if You’re Found to be Out of Compliance?Obviously, one of the most significant consequences of being out of compliance is the fines, which start at around $10/month and can go up to $100,000 per month until your organization becomes compliant. A less clear problem that comes with this is that if your business is out of compliance, your company is probably lacking key infrastructures and information security programs that aren’t only useful for compliance but also for protecting your organization in general.
What Happens if Data Security is Breached?If your data security is breached, the damage could be severe. The criminals who broke through your data security will have access to your customer’s private payment information, thus exposing them to credit card fraud. If the criminals managed to breach your security, there’s little reason to believe they’d stop their looting at cardholder data, especially if your business handles other proprietary information that could be valuable. In other words: a breach puts your entire organization’s data at risk.
- Describe the nature of the personal data that was breached and how many people it affected. Be sure to include the type of personal data records that were compromised.
- Submit the name and contact information of your data protection officer. If your company does not have one, provide an alternative contact point where the relevant information can be acquired.
- Describe the probable impact and consequences of the data breach.
- Describe the measures your company took or proposed to take to handle the breach, the details of which you should be able to acquire from your business continuity and data recovery (BCDR) plan.
How to Achieve & Maintain PCI ComplianceWhen it comes to achieving and maintaining PCI compliance, the first step is to find a reputable payment provider to work with. There is a variety to choose from, but three of the most well-known companies include Stripe, PayPal, and Duo. Unless you intend to handle the annual system scanning and security questionnaires internally, the next step is to find a third-party company like Security Metrics or an MSP to handle those tasks for you. And finally, make sure you properly train your staff on compliance protocols and assign access to private cardholder data to designated parties.
Following Compliance Supports Data SecurityWorking to maintain PCI compliance will help enhance your business’s security practices all around, especially if you’re working from an office or have a website. Even if your company doesn’t have private cardholder data to keep secure, conducting regular scans of your systems and website will help set the tone for how your organization protects your critical data.
- What is PCI Compliance? — PCI compliance relates to the standards and requirements created to keep private cardholder data handled by the credit card industry and relevant businesses uniform and secure.
- Why Does PCI Compliance Matter? — It matters because if your business is found to be out of compliance, you will incur fines. Avoiding compliance also puts your customers at risk of credit card fraud. Being outside of compliance also runs the risk of your business losing its merchant services privileges.
- Following PCI Compliance Security Requirements — The PCI Security standards should be followed not only to maintain compliance but also to help keep your company’s data security systems and protocols up to date and top of mind.
- PCI Compliance Levels — There are four levels of PCI Compliance:
- Level 1 — Your business processes over 6 million Visa and or Mastercard transactions every year.
- Level 2 — Your business processes between 1 million and 6 million Visa and or Mastercard transactions every year.
- Level 3 — Your business processes between 20 thousand and 1 million Visa and or Mastercard transactions every year.
- Level 4 — Your business processes less than 20 thousand Visa and or Mastercard transactions every year.
- Following PCI Compliance Security Requirements — Communicating sensitive cardholder data over email is never advisable. Instead, it’s better to communicate via a more secure channel.
- What if Your Company Doesn’t Maintain PCI Compliance? — If your company doesn’t maintain PCI compliance, you may be fined between $10 to $100,000 per month, depending on the size of your business. You’ll also have to pay for qualified security assessments to get back into compliance.
- What Happens When Data Security is Breached? — If your security is breached, your company will have to release a report on the event within 72 hours. Your company will also have to deal with the loss of confidence from your customers and the damage to your reputation.
- Implementing and Maintaining PCI Compliance — The first step is to find a reputable payment provider to work with. The second step is to find someone to handle your regular security scans and questionnaires, which could be the payment provider you go with, a third party, or an MSP. Lastly, make sure your staff understands the protocols and procedures around maintaining PCI compliance.