The Quick Guide To PCI Compliance For Small Businesses

As a first-time small business owner, you may be unfamiliar with PCI compliance and its associated fees, which may appear unexpectedly on your monthly merchant account statement. PCI compliance involves adhering to the Payment Card Industry Data Security Standard (PCI DSS) standard established by the Payment Card Industry Security Standards Council (PCI SSC) to protect customer credit card information from cyber threats. This is a critical measure for preventing data breaches and ensuring customer trust.

Many small business owners underestimate the risk of cybercrime, believing their data isn’t worth stealing. However, non-compliance not only makes a business an easy target for cybercriminals but can also lead to significant fines (ranging from $5,000 to $500,000) from the PCI Security Standards Council (PCI SSC) if a data breach occurs. These fines, while initially levied on your bank, will ultimately be passed down to you, potentially alongside increased compliance requirements and costs.

Meeting PCI DSS standards is straightforward and cost-effective, being significantly less expensive than the potential fines and additional compliance burdens following a breach. This guide focuses on Level 4 requirements, which are most applicable to small businesses.

Which PCI Compliance Requirements Apply To Small Businesses?

The PCI SSC categorizes businesses into four levels based on transaction volume to streamline PCI compliance. Level 1, for the largest businesses, demands the strictest compliance, involving external audits, while Level 4, for the smallest businesses, has the simplest requirements. Small businesses fall into Level 4 if they process fewer than 20,000 eCommerce transactions or under 1,000,000 total transactions per year, reflecting the increased risk of online transactions.

Regardless of transaction volume, any business experiencing a data breach may be escalated to Level 1, facing stringent audits and compliance measures. This article focuses on Level 4 compliance, which will be relevant to most small businesses. For more detailed information on all levels, including Level 3 and above, please consult our comprehensive guide on determining your merchant risk level for PCI compliance.

Choose The Right Payment Processor To Simplify PCI Compliance

The payment processing industry has hundreds of providers, each offering different approaches to PCI compliance. While all provide some level of PCI compliance support, the specifics, such as data breach insurance, can vary. Some include it as a standard feature, while others may charge extra or not offer it at all.

PCI compliance fees also vary. Providers may charge them annually, quarterly, or monthly. Some companies may not charge them directly, instead recouping these costs through higher processing rates or monthly fees. For a detailed analysis,  check out our in-depth article on PCI compliance fees.

When choosing a payment processor, thoroughly investigate their PCI compliance policies. This means reviewing contract documents and checking for disclosures on their website rather than relying on sales pitches. Essential services should include the following:

• PCI-compliant hardware and software
• Quarterly network scans with log access
• Assistance with filing the Self-Assessment Questionnaire (SAQ).

Desirable extras include data breach insurance (with at least $100,000 coverage) and security features like tokenization or encryption, which are now the industry standard. Remember, despite the level of support, ensuring your business’s PCI compliance ultimately falls to you, not the processor.

PCI Compliance For Brick & Mortar Businesses

Traditional retail merchants who don’t process any online sales may wonder what cybersecurity and PCI compliance have to do with them. However, most modern processing hardware now uses a payment gateway to send payment information to the processing networks over the internet, making PCI compliance just as important as it is for eCommerce businesses.

However, it’s generally much easier for a brick-and-mortar-only business to meet PCI compliance standards. Level 4 businesses simply need to complete a network vulnerability scan of their system, keep their Self-Assessment Questionnaire (SAQ) updated, and follow the best practices recommended by the PCI SSC to keep their accounts compliant and protected.

PCI Compliance For eCommerce Businesses

If you run an online-only business, most of the PCI compliance requirements for retail businesses will also apply to you. While you won’t need to secure physical credit card terminals, maintaining an updated Self-Assessment Questionnaire (SAQ) and conducting regular network scans are crucial, especially since online businesses are inherently more vulnerable.

For new eCommerce ventures, prioritize PCI compliance when setting up payment processing. Directly accepting payments on your site involves handling sensitive credit card information, which poses significant PCI compliance challenges. Instead, consider using a secured payment gateway or a hosted payment page provided by most merchant account providers. This setup redirects customers to a secure page for payment, minimizing your compliance obligations and potentially reducing costs. However, it can also affect checkout flow, possibly leading to shopping cart abandonment by confused customers who don’t understand how it works.

Payment gateways with tokenization and encryption allow secure direct payments on your site without storing credit card data, enhancing security but at a higher cost. To facilitate repeat purchases without storing card information yourself, use a payment gateway featuring a customer information vault. This secures customer data on the provider’s server, easing repeat transactions. However, be sure to inquire about data migration policies in case you later decide to switch to a different gateway provider.

Don’t forget the importance of Secure Socket Layer (SSL) certificates for encrypting website traffic and reassuring customers with a secure connection (indicated by “https://” in your site’s URL). SSL certificates are now standard, and non-compliance is penalized by search engines like Google.

PCI Compliance For Mobile & Blended Businesses

For businesses that conduct both in-person and online sales, it’s crucial to manage PCI compliance with your merchant account provider’s help. Your provider should conduct network scans, remind you to update your SAQ, and supply PCI-compliant hardware and software. Understand what you’re getting for any PCI compliance fees charged. You should expect services like regular network scans, SAQ assistance, data breach insurance, and access to educational resources. Unfortunately, some providers may charge you a PCI compliance fee without offering substantial support.

For small businesses seeking a straightforward approach to PCI compliance, we highly recommend Square. Square provides PCI-compliant card readers and software without additional compliance fees. While you’ll still need to review PCI requirements, the primary task will be setting strong account passwords.

Best Practices For PCI Compliance

Below, we’ll outline eight of the most important practices your business should follow to maintain PCI DSS standards and protect your customers’ data. These practices are not the same as the 12 compliance requirements outlined in the PCI DSS Quick Reference Guide (QRG), but there is some overlap. Be sure to consult the QRG for further information when setting up a PCI compliance program for your business.

1. Use only PCI-approved PIN Transaction Security (PTS) devices. PTS devices now include countertop terminals (including “smart” terminals), PIN pads, mobile card readers, and point-of-sale (POS) systems. A full list of approved PTS devices is on the Approved PTS Devices page of the PCI SSC’s website.
2. Use only PCI-validated POS (point-of-sale) and payment gateway software. Just like your processing hardware, your software services have to be validated by the PCI SSC as being compliant.
3. Don’t store any sensitive cardholder data. There’s no reason for you to have access to any of your customers’ card data. Modern payment processing systems use tokenization and encryption to protect this data when a sale is processed. Do not store this information digitally — either on your hard drive or your website’s server. This goes double for physically storing credit card information. Never write down a customer’s credit card number, expiration date, or CVV unless it’s absolutely necessary. If you do, be sure to follow additional PCI compliance requirements that apply to this type of information. Note that almost all modern payment gateways include a customer information vault feature that safely stores this information off of your website.
4. Use a firewall on your network and computers. Just as you always use a firewall to protect your personal computer, you also need to use one to protect every device attached to your business network. Your merchant account provider can usually assist you with configuring this feature.
5. Never use default passwords. It’s critically important that you replace the default passwords on your networked devices with the strongest ones possible. Applications such as 1Password and LastPass can help you generate extremely strong passwords. This may seem like an obvious step, but some huge data breaches have occurred in recent years because someone neglected to perform this simple step.
6. Make sure your wireless router is password-protected and uses encryption. You’ll also want to set a strong password for your wireless router and ensure that all available security and encryption features are enabled and properly configured.
7. Regularly check terminals, PIN pads, and computers to ensure that no one has installed rogue software or “skimming” devices. If there’s any chance of your business being hacked by one of these methods, you’ll want to know about it as soon as possible. Network vulnerability scans are great for catching this kind of activity. Be sure to scan your system at least quarterly, regardless of your PCI compliance level.
8. Educate your employees about security and protecting cardholder data. Learning all the best practices for PCI compliance won’t do you much good if you don’t pass that knowledge on to your employees. Have a program in place that teaches employees what they should and shouldn’t be doing when accepting payments from customers.

Final Thoughts On PCI Compliance

Navigating PCI compliance might seem overwhelming for new business owners, but it primarily involves straightforward precautions. While we encourage you to review official PCI SSC documents, the guidance in this article and resources from your payment processor are generally sufficient for most small businesses.

It’s crucial to understand that PCI compliance solely aims to secure customer credit card data; it doesn’t cover fraud prevention, which is a separate concern. Fortunately, with the rise of fraud, especially in card-not-present transactions, payment processors are enhancing their anti-fraud tools to help mitigate your risk.

Ensuring adherence to PCI compliance is vital for all businesses, as the costs associated with a data breach could be devastating. For further details, refer to our comprehensive guide on PCI DSS compliance. If you’re in search of a merchant account provider or considering a change, check out our recommendations for the best credit card processors for small businesses.