What Is PCI Compliance? A Guide for Small-Business Owners

PCI compliance, or payment card industry compliance, refers to a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing and storing the related data. It involves requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access.

The Payment Card Industry Security Standards Council, an independent body created by the card networks in 2006, manages PCI security standards while the enforcement of these standards falls to the card networks and payment processors. Every business, regardless of the number of card transactions processed, must be PCI compliant. The card networks (Visa, Mastercard, American Express, etc.) can be contacted directly for information about their specific PCI compliance programs. ^[0]

No, merchant compliance is not determined or enforced by the government. And, while the PCI Security Standards Council manages security standards and looks for ways to improve security, it doesn’t enforce compliance either. Instead, the steps a business must take to be PCI compliant are in the terms of the contract or agreement with its merchant service provider or payment service provider and the card networks.

While the broad intent of these requirements is the same from one provider to the next, details about implementation can vary. Not following the proper procedures can lead to serious problems, including tens of thousands of dollars in fines issued by card networks.

PCI compliance can be especially frustrating for business owners who have little expertise or interest in cybersecurity. However, current payment networks are built on chains of trust.

"The result is that someone needs to take responsibility," says Gary Glover, vice president of assessments at SecurityMetrics, a cybersecurity company specializing in PCI compliance matters. "Ultimately, it falls on the person who takes the card. Over the years, it will be easier. In five to 10 years, hopefully, merchants will be out of scope because the system is more secure."

But until then, merchants need to understand the following:

• PCI compliance isn’t a one-time exercise; it’s a task that must be completed each year.

• Compliance requirements vary by business size and by the number of card transactions each year.

• Compliance rules divide businesses into four groups that vary slightly by card network. For example, Visa classifies Level 4 merchants as those that process fewer than 20,000 online card transactions or up to 1 million total transactions per year. Larger businesses generally have more burdensome requirements.

• The type of payment service a business uses can also affect the amount of work required to be compliant each year.

• Merchant account providers offer businesses the special type of bank account needed to accept card payments, which is called a merchant account. If you have this type of account, PCI compliance-related requirements are usually written into the terms and conditions of your agreement.

• Payment service providers, such as Square or Stripe, replace the need for a business to have its own merchant account and often take on some compliance responsibilities. Businesses that accept payments with a PSP must still be PCI compliant, but it’s generally easier compared with businesses with merchant accounts.

» MORE: Learn what EMV is and how it works

Here are the 12 PCI compliance requirements from the PCI Security Standards Council.^[0]

1. Install and maintain a firewall. That includes testing network connections, restricting connections to untrusted networks and other efforts.

2. Change vendor-supplied default passwords and security settings. This includes enabling only necessary services, removing functionality where warranted, encrypting access and other efforts.

3. Protect stored cardholder data. That includes having policies for disposing of data, limiting what is stored, avoiding storing certain types of data and other efforts.

4. Encrypt cardholder data when transmitting it across open, public networks. Among other things, don't send unprotected account numbers via email, instant messaging, text, chat or other end-user messaging technology.

5. Use and regularly update antivirus software. That means performing and documenting periodic scans, as well as ensuring the software is running and other activities.

6. Develop security systems and processes. This means creating processes to find and take action on vulnerabilities, as well as other efforts.

7. Restrict access to cardholder data to a need-to-know basis. That requires defining the access certain roles need, as well as creating user privileges and control systems, among other things.

8. Assign user IDs to everybody with computer access. Businesses should also ensure there's a way to authenticate users, document their policies in this area and take other actions.

9. Restrict physical access to cardholder data. This means using cameras or other tools to monitor who is in sensitive areas of the business or handling certain equipment, for example.

10. Track and monitor who accesses networks and cardholder data. That means having an audit trail, using time-stamped tracking tools, reviewing logs for suspicious activity and other activities.

11. Regularly test systems and processes. Test and inventory wireless access points, do quarterly vulnerability scans and monitor traffic, among other things.

12. Have a policy on information security. That means writing, publishing and disseminating a policy at least once a year that lays out usage rules for certain technologies and explains everyone's responsibilities, among other things.

To become PCI compliant, a business typically must do three things:

1. Meet the requirements set out by the Payment Card Industry Security Standards Council.

2. Complete an assessment that shows how secure a business's systems and practices are. Most small businesses can perform a self-assessment, and the one you take depends on your particular payment setup. Larger businesses must hire third-party auditors. 

3. Perform a scan of the network used to process payments. This technical exercise requires the help of an outside firm.

Determining whether your business is PCI compliant requires a thorough assessment of security practices every year. Although the PCI compliance requirement is universal, validation requirements and assessments may be slightly different, depending on the card network. The type of annual assessment required depends on a few factors, including the volume of card transactions.

A business falls into one of four category levels. For example, the following are the compliance levels for Visa:

• Level 1 merchants are those that process more than 6 million Visa transactions per year across all channels, or are global merchants identified as Level 1.

• Level 2 merchants are those that process between 1 million and 6 million Visa transactions per year across all channels.

• Level 3 merchants are those that process 20,000 to 1 million e-commerce Visa transactions per year.

• Level 4 merchants are those that process fewer than 20,000 e-commerce Visa transactions, or those processing up to 1 million total annual Visa transactions.

Merchants that have had a hack or cyber attack that led to data loss may be moved to a higher validation level by Visa.

There are four layers of groups involved in PCI compliance, beginning with the card networks that created it down to the individual businesses that accept customer payments.

Card networks

Each card network, like Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.

The PCI Security Standards Council

American Express, Discover, JCB International, Mastercard and Visa founded this organization in 2006. It creates broad security standards, certifies vendors, and tests and certifies payment technology.

Merchant account providers or payment service providers

Businesses use merchant account providers or payment service providers to gain the ability to accept card payments. In addition to following the rules set by each card provider, they also function as de facto administrators of PCI compliance for businesses by including specific PCI compliance-related requirements in the terms of their contracts or agreements.

Business owners

Every business must meet the requirements set forth by its merchant account provider. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face hefty fees or even lose your merchant account.

Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.

• PaySimple, for example, charges a $5.95 monthly fee for access to a “PCI tool” and a $59.95 monthly fee if you are not in compliance.

• Dharma Merchant Services doesn’t have a PCI compliance charge, but there is a $39.95 monthly fee for noncompliance.

• Adyen, Payline, Square and Stripe don’t have specific charges for PCI compliance.

• Some companies don’t have any information listed on their website, or they may have vague “service fees” that may or may not include PCI-related items.

Weighing the cost of this fee, if any, against the services you receive can play a role in choosing a payment processing company. Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants can expect to pay from $300 to $1,000 or more annually to hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.

Given the technical nature of data security, completing the assessment questionnaire can be challenging for small-business owners who must address all the issues before submitting it. The following steps can make the process easier.

Practice good data hygiene

Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:

• Use strong passwords.

• Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer cloud-based systems are built with strong encryption, and typically receive updates automatically.

• Store only what you need. You probably don’t need to store physical copies of receipts.

• Don’t click on suspicious links.

• Only use card readers and payment software that are validated by the PCI Security Standards Council.

• Educate employees about the importance of protecting cardholder data.

Take the paperwork seriously

Self-assessment questionnaires are technical in nature and can frustrate business owners, Glover says. Some people are tempted to simply check yes to all the questions on the questionnaire without giving the questions much thought.

“People just get frustrated,” Glover says. “We see this a lot. This is a business risk you’re taking.” He says that if a business owner does this and is later compromised, penalties are often stiffer. If you’re unsure of how to handle these questionnaires, consider asking your payment processor for clarification or seeking help from an outside agency.

Use systems that make compliance easier

The point-of-sale, or POS, system that you use can make PCI compliance easier. Using an up-to-date cloud-based POS that integrates payment processing, a POS system and card readers can minimize security risks. These end-to-end systems are usually secure, low-maintenance and often include PCI compliance support.

Some business owners piece together an array of products and services from different companies, but these systems can be less secure and often depend on the owner keeping everything up-to-date.

» MORE: Best POS systems

Understand your business

• Find out which level your business falls under.

• Find out which assessment you must use.

Talk to your payment processor about:

• The specific compliance requirements in your contract.

• Whether it has consultant recommendations should you need help.

• Whether you are paying a PCI compliance fee.

• Compliance services it provides or recommends.

Get help from experts

Use resources on the PCI Security Standards Council website to learn more about securing customer data.

For help finding an approved scanning vendor or someone to help with your assessment, talk to your financial partners or use the vendor lists PCI Security Standards Council keeps.^[0]