What Is PCI Compliance? Retail & Restaurant Guide

PCI is a shortened version of the acronym PCI-DSS and is most commonly used when discussing Payment Card Industry-Data Security Standard compliance. The governing body for all PCI-related matters is the Payment Card Industry Security Standards Council which aims to protect sensitive credit card data.

Any organization or seller, regardless of size, that accepts, stores, processes, and transmits cardholder data during a credit card transaction must follow the most recent version of the PCI-DSS rules.

The five major credit card companies (American Express, Discover Financial Services, JCB International, Mastercard, and Visa, Inc.) make up the Executive Committee.

Other large brands like Square, one of the largest payment services providers, sit on the board and contribute to the council in a consulting role to help formulate policy pertaining to new technology and updating best practices.

Because of the constantly evolving risks, new policies are always being implemented. As PCI security standards evolve, so must merchants and their best practices.

PCI scope defines the people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data, according to the PCI SSC.

Any of your equipment, software, or hardware that processes, stores, or transmits cardholder data is considered “in scope” and must be PCI compliant.

Some credit card processors take care of PCI compliance for you, which can reduce your PCI scope and what you personally have to due in order to remain PCI compliant. We’ll talk more about payment service providers (PSPs) and how they limit your PCI scope later on.

Payment methods you accept may also increase or decrease your scope. If you store credit card data on your servers to use for recurring billing, your scope is going to be greater than if your customer used a digit wallet for in-person purchases. This is because you have to make sure that you are storing the card data safely, but when you accept a digital wallet payment from Google Pay or Apple Pay, your business doesn’t come into contact with any credit card data directly through a process called credit card tokenization.

eCommerce businesses can reduce the scope of their PCI compliance requirements by using a hosted payment page offered by their provider rather than having customers check out directly through their business’s websites.

Merchant risk levels determine what kind of tasks you’re going to have to complete in order to maintain PCI compliance as a business. Risk levels are defined by the number of transactions your business processes annually and don’t factor in your overall processing volume.

The merchant risk levels are defined as:

• Level 1: companies that process over 6 million credit card transactions per year, or companies that experienced a breach resulting in data loss within the last year
• Level 2: companies that process 1-6 million credit card transactions per year
• Level 3: companies that process 20,000-1 million credit card transactions per year
• Level 4: companies that process fewer than 20,000 credit card transactions per year

As a small business owner, your business is most likely going to be considered a level 4. It’s important to note that if you’ve ever suffered a data breach, you will be escalated to a higher merchant level to reflect that added risk.

Best practices you need to do on your own include:

• Maintain A Secure Network: Make sure your firewall is properly configured and up-to-date, never use default/duplicate passwords, use anti-virus software and keep it updated, track and monitor access points to your network by testing your networks, and maintain and follow information security policies.
• Protect Cardholder Data: Use encryption or tokenization for all transactions (or find a Payment Service Provider that does this for you), used a hosted payment page, and only store payment/card information in a secure and up-to-date program.
• Implement Strong Access Measures: Create unique IDs for all employees, only issue them on a need-to-know basis, and keep a record of permissions issued. Consider changing shared passwords after an employee leaves the business.

To learn more about the actionable steps to take for PCI compliance, read our complete guide to PCI-DSS compliance.

Another easy way to ensure PCI compliance is to use a PSP like Square or PayPal, which will handle almost all compliance requirements for you. They will also complete security scans on your account as needed and should also be able to assist you in completing and filing SAQs when required.

If you have a storefront, you’ll need to consider both the software and the hardware you use to process payments. Any equipment that touches credit card information will need to be PCI compliant, but you need to consider the end-to-end security of every transaction.

Tokenization is the current “gold standard” in easily adoptable security features, reducing the scope of PCI compliance requirements by keeping credit card data off the merchant’s website or processing hardware entirely. Mobile wallets that rely on NFC technology tokenize data before passing it to the payment processing network. Almost all payment processors in the industry today offer tokenization, and most include it as a standard feature.

Securing your Wi-Fi networks and following general network security practices are critical to maintaining PCI compliance over the long term. It’s also worth mentioning again that if your staff ever takes an order over the phone or remotely, never write the numbers down or store them with unsecured software. Advise your team to always record the credit card number directly into the payment software at the virtual terminal — not on a pad of paper, in a word processing document, or anything else.

Whether your business is eCommerce-only or you just have an online sales channel, your PCI compliance requirements will depend primarily on whether or not any cardholder data passes through your servers or goes into your site during the checkout process. If any data does pass through your website or server during checkout, your PCI scope increases, and you have more of an obligation.

To reduce your PCI compliance obligations, you can choose a merchant services provider that offers a hosted checkout page. This option simplifies PCI compliance but requires customers to (temporarily) leave your site to complete the checkout process. Hosted payment pages are popular with small eCommerce businesses that often don’t have the resources to tackle the additional PCI compliance burden that comes with a fully self-hosted website.

If you want to safely store your returning customers’ credit card information, so they don’t need to type it in every time they place an order, you’ll need to have a PCI-compliant vault. Today, most of the leading POS systems on the market offer this service as a standard feature.

You can also accept payments using invoices. If you send an invoice through a PCI-compliant payment processor, the provider can generate a “pay now” link for you. Your customer then completes the transaction via a secure domain, requiring no extra work on your part. You don’t need a website of your own because the invoice software links to a site hosted by your payment processor.

You may be happy to know that many mobile point-of-sale (mPOS) apps are automatically PCI compliant, so you don’t need to jump through any additional hoops to take payments! The best mobile POS payment apps work by encrypting the card data as soon as the card is inserted, tapped, or swiped, so the payment data never touches your phone or device. It’s all routed through a secure network maintained by the processor offsite.