Credit or Debit? Why PCI Compliance is Critical for Small Businesses.
If you accept credit or debit cards from your customers, your small business must be PCI compliant.
Here’s what your business needs to know:
- Payment Card Industry (PCI) compliance are standards businesses must abide by to accept payment by credit or debit cards.
- PCI compliance ensures transactions are made securely by putting parameters in place. These safeguards help businesses avoid costly fines that come from a breach.
- PCI compliance requires businesses to follow 12 sets of criteria to be compliant.
- A cyber insurance policy can protect you, your employees, and your business if you identify a data breach. Talk to your broker about your business insurance policy. See if your cyber coverage is sufficient for your operational risks.
The potential impacts of not being compliant? Data breaches with big headlines have put nameable retailers in the spotlight, and with good reason. This kind of press can damage a brand’s reputation with the public. It can also breach the trust of customers, who may be hesitant to return to your business.
Re-earning that trust is a costly undertaking, making it imperative to ensure customers’ payment details are secure when processing. Putting the policies and best practices in place can prioritize payment security at all times. Beyond the media and public impact, complicance and effective risk management are essential. If there is an incident, the fallout can be costly on the business.
What is PCI?
PCI (Payment Card Industry) includes all companies that use or generate credit and debit cards. Commerce and retail industries, ATMs, and financial institutions that issue credit, debit, or prepaid cards all fall into PCI. The PCI SSC (Payment Card Industry Security Standards Council) oversees the payment card industry’s standards.
Who needs to follow PCI regulations?
All businesses that accept, transmit, or retain cardholder data must follow PCI data security standards. The number of transactions made in a calendar year will determine the required level for your business. This level will be associated with specific reporting conditions. Following data security standards is a key risk management process, especially when it comes to cyber liability.
Does your business accept credit or debit?
If so, PCI outlines four compliance levels ranked Level 4 (lowest) to Level 1 (highest) for compliance.
PCI Level 4: Businesses processing less than 20,000 card transactions per year.
PCI Level 3: Businesses processing between 20,000 and 1 million card transactions annually.
Level 2: Businesses processing 1 million to 6 million card transactions annually.
Level 1: Businesses processing more than 6 million credit or debit card transactions on an annual basis.
Each PCI compliance level requires various reporting standards for businesses.
The PCI SSC provides a list of 12 requirements to meet PCI DSS:
1 Install and maintain a firewall configuration to protect cardholder data.
2 Do not use vendor-supplied defaults for system passwords and other security parameters.
3 Protect stored cardholder data.
4 Encrypt transmission of cardholder data across open, public networks.
5 Use and regularly update antivirus software or programs.
6 Develop and maintain secure systems and applications.
7 Restrict access to cardholder data by business need-to-know.
8 Assign a unique ID to each person with computer access.
9 Restrict physical access to cardholder data.
10 Track and monitor all access to network resources and cardholder data.
11 Regularly test security systems and processes.
12 Maintain a policy that addresses information security for employees and contractors.
Do I need to be PCI compliant if I only accept payment by credit or debit over the phone?
Yes. PCI SSC requires all businesses that process credit or debit – no matter the transaction style – to follow compliance standards.
Do I need to be PCI compliant if I use a third- party to process credit or debit card payments?
The answer is yes. Outsourcing does not prevent a company from meeting PCI standards.
If I run a business with multiple locations, will I need to validate compliance at all sites?
As long as your business operates and processes a payment, you must validate once per calendar year. This applies to all locations that use the same Tax ID. If you are unsure, consult the PCI SSC for clarification.
My business does not store credit or debit card data. Do I need to be PCI compliant?
You must comply with PCI standards even if you do not store payment information.
What if my business does not comply with PCI?
PCI compliance is not a law; however, compliance is a standard by major card brands (Visa, MasterCard, etc.) At their discretion, non-compliant businesses may be subject to fines, audits, and other costs should a data breach occur.
What are the penalties for non-compliant businesses?
At the choice of the payment brand, a fine of $5,000 to $100,000 per month may apply for PCI compliance violations. This fine will first apply to your bank, which will determine the non-compliant business. Other penalties may apply, such as termination or increased transaction fees.
It is always in your business’s best interests to ensure adequate protection when handling all customer information. Whether your business collects and stores payment details for recurring subscriptions or simply maintains email addresses to market to customers, a cyber insurance policy can protect your business against unexpected cyber threats.
Discover Data Security Resources for businesses from PCI Security Standards Council to help mitigate risks in your business: