As a business owner taking payments, you’ve probably heard of PCI compliance. However, the whole concept might seem like it requires a fleet of elite, specialized translators just to figure out the right forms.
Here’s a basic primer on PCI compliance.
What is PCI compliance?
In 2006, a group called the Payment Card Industry Security Standards Council (PCI SSC) was created to combine the disparate card brands’ security requirements. Up until this time, each had been setting their own individual standards, and it became clear that a consistent, system-wide standard was in order.
As a result, the PCI SSC created the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS lists twelve requirements that cover six different goals. These requirements apply to all members, merchants, and service providers that store, process, or transmit cardholder data. So, if you’re taking any payments – you’ve got to pay attention.
The PCI SSC itself doesn’t issue any consequences, but each individual payment brand might have its own compliance initiatives. They might fine an acquiring bank up to $100,000 per month for violations – and this fine just might get passed along to you if you aren’t compliant. That’s big money, and there are other big consequences. You could lose your processing relationship or suffer an increase in transaction fees. It can be hard for smaller businesses especially to come back from such a blow.
What do I do?
Your business will be identified as one of four merchant levels based on transaction volume during a twelve month period.
Dependent on your level, you will determine the relevant Self Assessment Questionnaire or SAQ. You will need to complete the questionnaire in its entirety. You must also complete the appropriate Attestation of Compliance. Many payment processors will have this information, along with instructions, available to you, or have a contact ready that you can reach out to (firstname.lastname@example.org).
If required, you may need to pass a vulnerability scan. A vulnerability scan will find and rank your vulnerabilities so that you can take care of them. Vulnerability scans need to be conducted by an Approved Scanning Vendor (ASV). It’s important to use an ASV, as they understand the requirements of conducting scans appropriately. They’re also prohibited from impacting or altering your customer’s environment during the scan, so things won’t get messy. You can find a list of ASVs from the PCI SSC here.
It can take awhile to complete the entire compliance process. Since each organization varies in size and complexity, the resolutions will also vary. The process will end as soon as you resolve any non-compliance issues found during the process.
What are some steps I can take now to help my business become compliant?
In the meantime, you can always make a few smart choices to help ensure your card security is running as close to the standards as possible. Here are some good actionable ideas.
Outsource your processing and cardholder data.
Opting to outsource parts of your payment plan can give you a leg up. Storing, processing, or transmitting with a PCI compliant service provider or software vendor can really ease your burdens. When you outsource with a service provider you use their system. If you pick smart (like choosing Forte), you can trust on a fully compliant and certified system that understands, complies, and excels at storing and managing cardholder data securely. You can also relax. Forte is a single source solution, which means they offer the full package with everything from the virtual terminal, the payment gateway, readers, and processing, with strict adherence to PCI guidelines in every piece.
Choose smart equipment.
Selecting secure readers and equipment is a wise investment. Opting for card readers that consider PCI compliance right within their design can significantly ease your compliance burdens and headaches. Readers for mobile payments like the MagTek iDynamo offer multiple layers of security and protection. The iDynamo actually encrypts card data right inside the read head, which is right next to the magnetic stripe: this means instant protection. Tokenization is also immediate, and the reader implements its own card authentication feature right at the swipe.
Photo credit: kris krüg