If you’re running a business, your customers want you to take credit cards.
That means you have to keep their credit card and personal information safe. Following small business PCI compliance standards is the best way to protect your customer data and avoid any fees associated with PCI compliance violations.
Security, compliance, credit card fraud—this is the part of your retail business that is about as fun as cold water, but if you want to accept credit cards as a payment method, you need to be PCI compliant.
So, what is PCI compliance? Why is it important? And how can you make sure you’re processing credit card transactions and collecting payment data securely? This guide will walk you through the basics of PCI compliance so that you have a clear understanding of what it is, how to become PCI compliant, the importance of compliance and the consequences of non-compliance.
- What is PCI compliance?
- Does my business need to be PCI compliant?
- Which PCI level applies to my business?
- What are PCI requirements?
- How to become PCI compliant
- Why does PCI DSS and security matter?
- What happens if my business is not PCI compliant?
- How can my business meet PCI standards?
Everything you need to know about payment service providers
Spot hidden fees, negotiate the best rate and more.
What is PCI compliance?
By definition, PCI (short for PCI DSS) compliance, stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect both the consumer and the merchant.
When you take a customer’s credit card, you receive a great deal of sensitive data. The PCI SSC (Payment Card Industry Security Standard Council) was founded by major card brands (like AMEX, MasterCard, Visa, JCB and Discover) to develop and manage security in the payment card industry.
The PCI DSS outlines minimum requirements for:
- Policies and procedures
- Security management
- Network architecture
- Software devices
- Other critical protective measures
Does my business need to be PCI compliant?
Yes. Any merchant, regardless of volume or size of business, who accepts credit cards as a form of payment or processes, transmits or stores cardholder data must comply with all aspects of the PCI DSS standards.
If you accept credit or debit cards, PCI compliance is a must regardless of the size of your business. You must comply with all applicable standards, whether you process one or one million transactions per year.
If your business has multiple locations with separate tax ID numbers, you’ll need to validate PCI compliance at each individual location. If all of your locations operate under one tax ID, typically you are only required to validate PCI compliance annually for all locations. When applicable, you may also need to pass network scans for each location on a quarterly basis.
Did you know? With Lightspeed Payments, we provide hardware and software that is automatically PCI compliant and up-to-date with current standards.
Which PCI level applies to my business?
For merchants, determining the level of PCI compliance required can be tricky and often depends on how many payment card transactions you handle each year, as well as the credit issuer.
Level 1
- Any merchant processing more than six million MasterCard or Visa transactions per year, regardless of channel
- A merchant who has been a victim of a hack that resulted in data compromise
- Any merchant determined as level 1 by a card brand
Level 2
- Any merchant processing one to six million MasterCard or Visa transactions per year
Level 3
- Any merchant processing 20 thousand to one million MasterCard or Visa eCommerce transactions
Level 4
- Any merchant regardless of acceptance channel (card present, card-not-present, etc.)
If your business falls within any of these four levels, we recommend you contact the PCI council to validate your compliance.
To stay up to date on PCI compliance information for individual credit issuers, click on the appropriate payment card brand below:
What are PCI requirements?
The requirements you must meet for PCI compliance include the following.
Your point of sale must be up to date
You must use credit card terminals and PIN pads that are current and compliant with PCI Data Security Standard (DSS).
Your point of sale (POS) and payment gateway software must be PCI-compliant and validated.
Your wireless router must be encrypted and password protected.
You must check your PIN pads and any other PIN entry devices to make sure that skimmers haven’t been installed. Skimmers are devices that criminals attach to PIN pads to capture credit card information when a card is swiped or entered, and they can take many forms. Also, check your computers for any rogue software or executable files.
You must not store any cardholder data in any way
This includes everything from storing it on a computer to jotting down a credit card number on a scrap of paper. If your credit card terminal and PIN pad are PCI-compliant, they are programmed to make sure you remain compliant with this requirement automatically.
You must use strong passwords
To do this, you should change any default passwords immediately and require your staff to change passwords on a regular basis. Consider using a password generator to create strong passwords.
You must train your employees about PCI compliance
There are online courses and videos to help you.
You must install firewalls on your computers and your internal network
Your computer’s operating system probably already has a firewall as part of its security software, but check to make sure it’s operating properly.
How to become PCI compliant
Now that we’ve covered the ins and outs of PCI compliance, let’s combine everything we’ve learned so you can get a clear picture of how to ensure you’re up to standard.
In order to meet the PCI requirements, each merchant has to go through a series of steps.
Make sure to always keep all validation documentation readily available.
Depending on a merchant’s classification or risk level (determined by the individual payment card brands or your PCI level) here are some handy terms to understand:
- PCI DSS Scoping: Determining which system components and networks are in scope for PCI DSS for your business.
- Assessment: Examining the compliance of system components in scope following the testing procedures for each PCI DSS requirement.
- Reporting: The assessor or entity submits required documentation, like the Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls.
- Clarifications: The assessor or entity clarifies or updates report statements (if applicable) upon request of the acquiring bank or payment card brand.
1. Determine your PCI level
What level does your business fall under? This is your first step. Ensure that you’re classified correctly before you go any further.
Compliance validation for merchants from level 2, 3 and 4 is completed via a yearly Self-Assessment Questionnaire (SAQ—more on that later). If applicable, quarterly network vulnerability scans may also be conducted by an approved scanning vendor (ASV).
Level 1 merchants must undergo a more rigorous compliance validation, while Levels 2, 3 and 4 merchants do not need to undergo external validation and are at the discretion of the acquiring bank.
To stay up to date on PCI compliance information for individual credit issuers, click on the appropriate payment card brand below:
2. Create and maintain a secure network
Now’s the time to create a secure environment to prevent data breaches. This includes installing firewalls and antivirus software on your computer network and using a private internet connection that’s password protected.
3. Protect and encrypt cardholder data
That means you can’t store credit card information and other personal data in any way, shape or form—whether that’s written or in your computer. The payment processor you use will typically use terminals that are PCI compliant, meaning you don’t have to program the terminals yourself to ensure that they aren’t storing any cardholder information.
Cardholder data must be encrypted. That’s a form of protection that “scrambles” information so the data can’t be viewed by just anyone. The PCI SSC recommends using cryptography and security protocols including TLS, SSH or IPSec to protect cardholder information.
4. Put a vulnerability management program in place
Maintaining PCI compliance standards means you have to be proactive, not reactive. That means employing methods of security management.
Vulnerability management programs periodically and automatically scan your network and operating systems for breaches and cyberattacks. These programs use a variety of measures—including patch management, vulnerability scanning and configuration management—to help protect data, detect weaknesses and prevent future attacks.
This is an important ongoing solution that any good business will employ to ensure that cardholder data remains safe from any security breaches.
5. Use access control measures
Restrict access to any confidential payment data to select trustworthy users. Use authentication methods such as multi-factor authentication (MFA), unique usernames and passwords, pins and security tokens to minimize the risk of a breach or unauthorized login.
6. Implement a diligent information security policy
There are a few steps you have to take to keep up your accordance with PCI standards.
PCI DSS Self-Assessment Questionnaires (SAQs)
First, the PCI SSC mandates that business owners complete an annual PCI DSS Self-Assessment Questionnaire. There are a few different types depending on your level. To ensure you’re completing the right one, read through the eligibility criteria on each questionnaire carefully.
The purpose of this questionnaire is a self-evaluation to validate that you’re up to PCI standards. According to the PCI SSC, merchants should consult with their payment processor to confirm which questionnaire to complete (and whether they’re eligible). For larger merchants, a third-party audit may be required in place of a SAQ.
Vulnerability scanning and penetration testing
The PCI SSC asks merchants to complete internal and external vulnerability scans at least quarterly and always after any major network change. A qualified professional must complete the scan, and afterward any detected vulnerabilities must be addressed. You can read more about these scans in this PCI program guide.
Unlike vulnerability scans, penetration testing must be performed annually. These tests determine how malicious actors could gain access to valuable information and security assets. There are three different assessment types: white-box, gray-box and black-box. Find more information about these tests here.
Remediate any identified vulnerabilities
After scanning and testing, immediately address any detected vulnerabilities. The nature of taking card payments is highly sensitive, meaning any and all issues have to be handled right away.
These potential vulnerabilities could put cardholder data at risk. If unauthorized access occurs, you’re on the hook for any breaches or leaks, especially if you haven’t made any immediate action to address these issues. Depending on the nature of the vulnerability, it’s a good idea to consult a qualified security professional, as well as the PCI SSC, to decide the best course of action.
Document and submit compliance reports to your acquiring bank
Keep detailed records of the entire process, from the start of the assessment to any required remediation. These reports must be submitted to any card networks you have a relationship as well as your acquiring bank.
You can find a detailed overview of the requirements for the PCI DSS Report on Compliance on their website.
Why does PCI DSS and security matter?
Have you ever had your personal credit card defrauded? PCI standards are designed to help protect all participants in the card ecosystem from this very problem.
When theft or a breach of cardholder data occurs, cardholders lose trust in their financial institutions as well as the merchants with whom they do business. There is also the possibility of a large negative financial impact for you and your customers.
What happens if my business is not PCI compliant?
Failure to comply with the PCI DSS regulations can result in penalties and fees.
Non-compliance penalties, which payment brands can adjust at their discretion, range from $10,000 to $50,000 in fines. You may also lose your right to process credit card transactions.
In the event of a breach or hack, the merchant may be subject to the following:
- Fines from the card associations
- Forensic investigation
- Issuing banks may recoup reissuing costs form the merchant (including possible fraud loss and fraud monitoring expenses)
- Litigation
- Government fines
- Damage to your brand and reputation
Establishing a PCI compliance plan and updating it regularly can help prevent data breaches, keep your costs down and maintain your customers’ trust and loyalty.
Make your life easier with a PCI-compliant POS
While it is still crucial for every merchant to understand why PCI DSS is so important, all Lightspeed Payments hardware and software are already PCI Level 1 certified.
We provide only PCI-compliant hardware and software and maintain a PCI-compliant platform, and our integrated payment system provides end-to-end encryption for every transaction, tokenizing data the second it reaches our servers.
Lightspeed is the merchant on record for all your transactions, meaning we deal with the banks on behalf of your business. We also take care of all regular assessments as well as document filing annually, and maintain up-to-date policies.
Lightspeed’s POS and Payments platform is your all-in-one solution that handles security for you, so you can focus on growing your business.
Chat with us to learn more about Lightspeed’s technical approach to security.
Editor’s note: Nothing in this blog post should be construed as advice of any kind. Any legal, financial or tax-related content is provided for informational purposes only and is not a substitute for obtaining advice from a qualified legal or accounting professional. Where available, we have indicated the first-hand sources of the information contained in this blog post. While we strive to provide accurate content, we cannot be held responsible for any actions or omissions based on such content. Lightspeed does not undertake to complete further verifications or keep this blog post updated over time.
News you care about. Tips you can use.
Everything your business needs to grow, delivered straight to your inbox.