What Is PCI Compliance? A Guide for Small-Business Owners

PCI compliance, which stands for payment card industry compliance, is a process that keeps customer card data secure. Even if you only process one card transaction per year, you must be PCI compliant. For small businesses, PCI compliance involves meeting requirements such as:

• Protecting stored cardholder data through encryption and maintaining a firewall configuration.

• Regularly updating antivirus software.

• Assigning unique IDs to each person with computer access.

The cost and effort required to achieve compliance depend on a few factors, most notably your payment volume and the payment processor you use. In general, the more transactions you process per year, the more that’s required of you. The first jump in responsibilities takes place for businesses that do 20,000 or more online transactions per year or more than 1 million total transactions per year.

» MORE: Best POS systems

Merchant compliance is not determined or enforced by the government, by the PCI Security Standards Council or by payment networks. Instead, the steps a business must take to be PCI compliant are found in the terms of the contract or agreement with its merchant service provider or payment service provider. While the broad intent of these requirements is the same from one provider to the next, details about implementation can vary. Not following the proper procedures can lead to serious problems, including fees in the thousands of dollars.

Basics of PCI compliance

PCI compliance can be frustrating for business owners because it means taking on a subject — cybersecurity — they might have little expertise or interest in. However, current payment networks are built on chains of trust.

"The result is that someone needs to take responsibility," says Gary Glover, vice president of assessments at SecurityMetrics, a cybersecurity company specializing in PCI compliance matters. "Ultimately, it falls on the person who takes the card. Over the years, it will be easier. In five to 10 years, hopefully, merchants will be out of scope because the system is more secure."

But until then, merchants need to understand the following:

• PCI compliance isn’t a one-time exercise; it’s a task that must be completed each year.

• Compliance requirements vary by business size and by the number of card transactions each year.

• Compliance rules divide businesses into four groups. Most small businesses are considered Level 4 merchants — those that process fewer than 20,000 online card transactions or up to 1 million total transactions per year. Larger businesses generally have more burdensome requirements.

• The type of payments service a business uses can also affect the amount of work required to be compliant each year.

  • Merchant account providers provide businesses with the special type of bank account needed to accept card payments. If you have this type of account, PCI compliance-related requirements are usually written into the terms and conditions of your agreement.

  • Payment service providers, such as Square or Stripe, replace the need for a business to have its own merchant account. As a result, PSPs often take on some compliance responsibilities. Businesses that accept payments with a PSP must still be PCI compliant, but it’s generally easier compared with businesses with merchant accounts.

How small businesses can stay PCI compliant

PCI compliance applies to any business that accepts card payments, including seasonal or small businesses.

To become PCI compliant, a business typically must do two things:

• Complete an assessment that shows how secure a business's systems and practices are. Most small businesses can perform a self-assessment.

• Perform a scan of the network used to process payments. This technical exercise requires the help of an outside firm.

Determining whether your business is PCI compliant requires a thorough assessment of security practices every year.

Although the requirement is universal, there's no one-size-fits-all assessment. Instead, the type of annual assessment depends on a few factors, including the volume of card transactions. A business falls into one of four tiers:

Level 1 merchants process more than 6 million card transactions per year or have had a hack or attack that led to data loss.

Level 2 merchants process more than 1 million card transactions per year up to 6 million.

Level 3 merchants process 20,000 or more online card transactions per year up to 1 million.

Level 4 merchants process fewer than 20,000 online card transactions or up to 1 million total transactions.

Most small businesses fall under Level 4 and are required to perform a self-assessment. Larger businesses must hire third-party auditors. There are multiple self-assessment questionnaires: the one you take depends on your particular payment setup. For example, Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties, like Stripe.

Groups involved in PCI compliance

There are four layers of groups involved in PCI compliance, beginning with the confederation of card networks that created it down to the individual businesses that accept customer payments.

Card networks

Each card network, like Visa and Mastercard, creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.

The PCI Security Standards Council

American Express, Discover, JCB International, Mastercard and Visa founded this organization in 2006. It creates broad security standards, certifies vendors, and tests and certifies payment technology.

Merchant account providers

Businesses partner with merchant account providers to gain the ability to accept card payments. Merchant account providers must follow the rules set by each card provider. They also function as de facto administrators of PCI compliance for businesses, as they include specific PCI compliance-related requirements in the terms of each contract or agreement with each business they work with.

Business owners

Every business must meet the requirements set forth by its merchant account provider. Meeting the requirements means your business is in compliance. If you aren’t in compliance, you could face hefty fees or even lose your merchant account.

The cost of PCI compliance

Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.

PaySimple, for example, charges a $5.95 monthly fee for access to a “PCI tool” and a $59.95 monthly fee if you are not in compliance. Dharma Merchant Services doesn’t have a PCI compliance charge, but there is a $24.95 monthly fee for noncompliance. Adyen, Payline, Square and Stripe don’t have specific charges for PCI compliance. Some companies don’t have any information listed on their website, or they may have vague “service fees” that may or may not include PCI-related items.

Weighing the cost of this fee, if any, against the services you receive can play a role in choosing a payment processor.

Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants can expect to pay from $300 to $1,000 annually to hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.

Tips for becoming PCI compliant

Given the technical nature of data security, completing the questionnaire can be challenging for small-business owners. The self-assessment questionnaires consist of yes-or-no questions; if you answer "no" to any of them, you must address the issue before submitting it. The following steps can make the process easier.

Practice good data hygiene

Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:

• Use strong passwords.

• Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer, cloud-based systems are built with strong encryption, typically receive updates automatically and can be less expensive.

• Store only what you need. You probably don’t need to store physical copies of receipts.

• Don’t click on suspicious links.

• Only use card readers and payment software that are validated by the PCI Security Standards Council.

• Educate employees about the importance of protecting cardholder data.

Take the paperwork seriously

Self-assessment questionnaires are technical in nature and can frustrate business owners, Glover says. Some people are tempted to simply check yes to all the questions on the questionnaire without giving the questions much thought.

“People just get frustrated,” Glover says. “We see this a lot. This is a business risk you’re taking.” He says that if a business owner does this and is later compromised, penalties are often stiffer. If you’re unsure of how to handle these questionnaires, consider asking your payment processor for clarification or seeking help from an outside agency.

Use systems that make compliance easier

The point-of-sale, or POS, system that you use can make PCI compliance easier. Using a cloud-based POS that integrates payment processing, a POS system and card readers can minimize security risks. These end-to-end systems are usually secure, low-maintenance and often include PCI compliance support.

Some business owners piece together an array of products and services from different companies, but these systems can be less secure and often depend on the owner keeping everything up-to-date.

Compliance resources checklist

Understand your business

• Find out which tier your business falls under.

• Find out which assessment you must use.

Talk to your payment processor about:

• The specific compliance requirements in your contract.

• Whether it has consultant recommendations should you need help.

• Whether you are paying a PCI compliance fee.

• Compliance services it provides or recommends.

Get help from experts

• Use resources on the PCI Security Standards Council website to learn more about securing customer data.