The payment card industry (PCI) comprises all companies involved with credit and debit card transactions. For commerce and retail — and any institutions that issue any type of credit, debit or prepaid card — complying with PCI regulations is essential. Payment Card Industry Data Security Standard (PCI DSS) rules apply to every business that accepts these forms of payment.
Even if your business employs only a few people and conducts one credit card transaction per month, your company must be PCI DSS compliant. Knowing what PCI compliance entails is central to your financial security and customer loyalty. Read ahead for a guide on PCI compliance and for answers to merchants’ most commonly asked questions about compliance for small businesses.
PCI compliance encompasses following the requirements set forth by the Payment Card Industry Security Standards Council (PCI SSC), the organization that sets all PCI regulations. Merchants must comply with these standards no matter how many credit card transactions they conduct.
However, this may be easier said than done. The Verizon 2023 Payment Security Report found that only 43 percent of companies maintain a sustainably compliant security environment. Those found not in compliance may be subject to hefty fines.
Editor’s note: Looking for the right credit card processing service for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
Every company that accepts credit and debit cards is required to follow PCI DSS, no matter its size (although the PCI SSC does provide help for small businesses). However, there are four levels of compliance. These levels determine the actions the organization must take to be compliant; the more transactions, the more actions necessary. These are the four levels and their requirements.
There are 12 requirements to meeting the PCI DSS:
Many high-profile data breaches have occurred through stolen credit and debit card information in the retail and service industries, so consumers want to know that they are doing business safely. PCI compliance doesn’t guarantee a data breach won’t happen, but it adds safeguards.
If your business is found to be noncompliant, you could face fees of $5,000 to $100,000 per month. If noncompliance persists, your business could be stripped of payment processing services.
PCI DSS compliance can help your business protect consumer data and help you avoid hefty, punishing fines resulting from noncompliance.
PCI compliance is nonnegotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company meets credit card compliance standards can be daunting.
Jeff VanSickel, VP CyberGRC manager at The Bancorp, provided a few tips for preparing for a PCI assessment and keeping your standards at secure levels at all times:
PCI compliance involves properly tracking the right data and having an incident response plan in place, including security procedures to follow in the event of a breach.
PCI compliance — or, more officially, Payment Card Industry Data Security Standard (PCI DSS) compliance — is adherence to a set of standards established by the Payment Card Industry Data Security Standards Council. This coalition was formed by the major credit card companies (Visa, Mastercard, American Express and Discover) and the Japan Credit Bureau in 2006. Businesses that accept any amount of credit card payments may be fined if they don’t follow these standards.
The data that falls under PCI compliance encompasses what’s called “cardholder data,” which may include the following information:
You should routinely review your PCI compliance practices to ensure you’re meeting all requirements. Do this on at least a quarterly basis, perhaps with the help of professional PCI compliance auditors. After that, address any vulnerabilities you find.
While PCI compliance is a requirement for all companies processing credit card transactions, technically, it’s not mandated by federal law. The PCI DSS instead establishes and enforces compliance requirements. However, some states, such as Minnesota and Nevada, have enacted statutes mandating PCI compliance. Nevertheless, the PCI DSS is a powerful entity — it comprises all major credit card bands — so its rules are worth following.
For taking credit cards by phone, the following protocol should be observed:
Credit card companies can levy fees of several thousand dollars per month or more, without regard for the size of your business. These fees can be devastating for small businesses, which makes compliance essential. [Get tips on how to negotiate lower credit card fees for your company]
You may experience nonfinancial penalties as well. For example, card issuers may choose to stop working with your business, which leaves you with fewer payment options to provide customers. Or you may face a public relations nightmare as more people learn about a security breach and are afraid to give your company their sensitive information. You may also be subject to federal auditing or legal action.
Your business can obtain PCI certification after a comprehensive PCI DSS audit. A qualified security assessor performs this audit, and the process can take months. While PCI certification is not required for your business to be PCI compliant, you may choose to undergo PCI certification to build trust with your customers.
The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments.
If you run a business and plan to accept credit card payments, you should be familiar with PCI compliance requirements. Taking steps to comply with these standards and protect credit card information is key to avoiding large fines — but that’s not all. It’s also essential for your financial security, as well as your customers.’
Natalie Hamingson and Stella Morrison contributed to this article. Source interviews were conducted for a previous version of this article.