Payment Card Industry (PCI) compliance refers to the data security standards that businesses must adhere to if they capture, process, transmit, or store credit or debit card information. Also known as the Payment Card Industry Data Security Standard (PCI DSS), these guidelines are created and enforced by the PCI Security Standards Council (PCI SSC).
Properly protecting your business from security breaches potentially saves you tens of thousands of dollars or more in lost income.
In this guide:
- What is PCI DSS compliance? The Basics
- What does it cost to be PCI compliant?
- Demystifying PCI DSS compliance and PCI PTS certification
- Consequences of PCI non-compliance
- Making sure your small business is PCI-compliant
- Conclusion
What is PCI DSS compliance? The Basics
As credit card usage expanded around the turn of the century, each major card brand (Visa, Mastercard, Discover, and American Express) developed their own systems for protecting against fraud. Soon, however, these card brands united to create an industry-wide standard for protection, called the PCI DSS. The first iteration was launched in 2004 and has undergone many revisions to stay current. The most recent version (3.2.1) was launched in May 2018.
To establish and maintain PCI compliance, there are 12 basic requirements every business needs to meet. Below is an excerpt from the official Requirements and Security Assessment Procedures, which you can find on the PCI website.
PCI DSS version 3.2.1
Goal 1: Build and maintain a secure network and systems.
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Goal 2: Protect cardholder data.
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Goal 3: Maintain a vulnerability management program.
- Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
- Requirement 6: Develop and maintain secure systems and applications.
Goal 4: Implement strong access control measures.
- Requirement 7: Restrict access to cardholder data by business’ need to know.
- Requirement 8: Identify and authenticate access to system components.
- Requirement 9: Restrict physical access to cardholder data.
Goal 5: Regularly monitor and test networks.
- Requirement 10: Track and monitor all access to network resources and cardholder data.
- Requirement 11: Regularly test security systems and processes.
Goal 6: Maintain an information security policy.
- Requirement 12: Maintain a policy that addresses information security for all personnel.
What does it cost to be PCI compliant?
Becoming (and remaining) PCI compliant carries a range of costs. What you can expect to pay depends on your merchant level, which is dependent on variables such as:
- The size, location, and nature of your organization
- The number of card-based transactions you process annually
- How you capture and process card-based payments (i.e., in-person or online)
There may be additional costs associated with employee training, for example, which is voluntary for smaller organizations, but often required for larger ones. Upgrading magstripe POS terminals with more secure EMV-enabled readers also carries expenses. The same is true for eCommerce merchants that protect their visitors by adding Secure Sockets Layer (SSL) certificates to their sites. Of course, there are direct PCI compliance fees – normally calculated and charged by your payment processor.
These variables make it difficult to provide an exact “cost” for PCI compliance. However, smaller organizations can expect to pay $300 to $500† annually to become and remain compliant. By contrast, a multinational enterprise might need to spend $70,000 to $100,000† a year to remain in good standing.
However, the real costs come from non-compliance. Even if fraud never occurs in your organization, failure to meet the data security guidelines could result in penalties ranging from $5,000 to $100,000* – per month – until the issues have been fixed. If fraud happens, you may have to cover financial losses. Data breaches often lead to expensive legal battles and investigations – not to mention diminished consumer confidence and fewer sales.‡
Demystifying PCI DSS compliance and PCI PTS certification
Now that you know the goals and requirements of PCI DSS, what should you do with that knowledge? Your business will be assessed against these security guidelines whether you like it or not. So, it’s best to understand how it can impact your day-to-day tasks and responsibilities.
Using PCI PTS certified devices
If you’re using a point-of-sale device (POS) that’s more than a few years old, chances are it’s not protecting you against potential threats in adherence to current security standards.
One way to simplify your security is to start with a modern POS, specifically one that is PCI PTS (Payment Card Industry PIN Transaction Security) certified. Think of PTS certification like PCI compliance for payment terminals. POS providers like Clover that provide payment terminals can submit their machines for inspection and certification to make sure that a third party will not be able to access cardholder and PIN information.
All Clover point-of-sale devices are PTS certified, taking much of the burden of PCI compliance off of busy merchants. One of the critical points of PTS certification is point-to-point encryption (P2PE). Having built-in P2PE, as merchants with current Clover POS systems do, will make the entire process of certifying PCI compliance much easier.
Avoiding hidden costs
If you cobble together your own payments processing, or use non-P2PE devices, you can hire outside PCI compliance consultants to survey your business and adapt your systems to meet the basic requirements. It may seem like avoiding a modern POS system will reduce costs, but when you’re planning your budget, be sure to factor in the cost of compliance consultants. It can quickly add up.
Assessing and reporting your PCI compliance
PCI compliance is assessed in two ways: Self-Assessment Questionnaires (SAQs) and audits. Generally, businesses are required to submit SAQs annually and are audited quarterly to ensure compliance.
Answering a questionnaire once a year many not sound that complicated, but how your business is structured and the number of credit card transactions you process dictate which of the 8 different SAQs you will have to complete.
What might initially seem like a simple checklist of requirements can balloon into over 200 questions examining things like your networks, login systems, and data storage. Here are a few items from the full questionnaire for merchants who aren’t P2PE certified:
- Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment?
- Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?
- Is there a formal process for approving and testing all network connections and changes to the firewall and router configurations?
These questions are difficult and often time-consuming to address. If you choose to work with a Clover POS system, you get to bypass most of them. The P2PE-certified hardware Clover builds includes multiple CPUs to protect data, even in the case of a virus being introduced to the system. Its high-level encryption protects customer information from the moment it is captured until it’s through the payment gateway. With this level of security built in, the PCI questionnaire merchants will have to complete is reduced to as few as five questions from 200+.
In addition to your annual SAQ, you’ll also have to complete four system audits each year. If you are PCI compliant, these electronic audits will be a breeze. If you’ve cut a few corners thinking it will save you time or money, be prepared for an unnecessary headache.
If you use the services of Clover Security, you’ll get automated reminders to schedule and complete these audits as well as a guided questionnaire to complete your SAQ . That means you can spend more time running your business, and less time worrying about how to protect your payment data.
Consequences of PCI non-compliance
While you might be tempted to ignore your PCI compliance obligations, you run the risk of being hacked, losing customers, incurring fines, and potentially losing the privilege of accepting credit cards at all.
What non-compliance looks like
There are many ways you can end up non-compliant. Here are just a few:
- Not filling out your annual SAQ (Self-Assessment Questionnaire)
- Filling out your annual SAQ incompletely and/or inaccurately
- Failing to complete quarterly network audits
- Not taking recommended steps provided by PCI compliance experts
- Sharing login information or usernames among employees
- Using default passwords for any of your networks or equipment
- Using a public WiFi for some of your transactions if you have a network issue, or are off-site
Are small businesses at risk of hacking?
You may think small businesses don’t attract hackers the way larger corporations do. While the press usually only covers data breaches for larger businesses, PCI compliance for small business owners is more important, since merchants from this category are often the most vulnerable to fraud attacks.
The numbers don’t lie: 43% of cyber attacks target small businesses§. Furthermore, 60% of small and medium businesses that suffered data breaches were out of business within six months‖. Hackers know that the smaller the business, the less likely it is to have staff dedicated to security, leaving potential gaps for remote access, malware, or malicious code.
Costs of non-compliance
The formal penalties associated with PCI non-compliance are not exorbitant. Standard fines are about $20 per month, although each service provider has a right to set penalty rates at their own discretion. But these fees are just the tip of the iceberg when it comes to the real costs.
If your small business is hacked, the average loss is calculated as high as $79,841¶. Can your business afford to have nearly $80K disappear overnight? That’s a whopping figure for most merchants, and explains why so many victims of hacking end up closing shop in less than half a year.
On top of that, non-compliance may result in credit card companies revoking your privileges. If you cannot accept credit cards, or develop a reputation for sub-standard security, it’s probably game over for your business.
Making sure your small business is PCI-compliant
Most small merchants open a business because they are passionate about their products and services. Chances are you aren’t also passionate about jumping through the hoops of PCI compliance. But now that you understand the value of compliance, where should you begin?
PCI compliance for small business owners (know your level)
Merchants are placed into different compliance levels based on the volume and type of transactions they process. Most small to medium businesses fall into Merchant Level 4: merchants processing fewer than 20K e-commerce transactions per year, and all other merchants processing up to 1M transactions per year. Your Merchant Level, along with other information about how your payments system is configured, determines which SAQ you will need to complete.
Choosing the right POS system affects your PCI compliance
There was a time when a cash register and a product was all you needed to get a business launched. But if you are going to accept credit cards, you’ll need to partner with a credit card processor. Modern POS systems bundle processing together with other merchant services to make sure your business is set up for success.
With a POS system like Clover, you get a lot of compliance right out of the box. With PTS-certified equipment and P2PE encryption, you’ll have very little to manage to keep your PCI compliance in good standing. And If you partner with Clover Security, you’ll get automatic reminders, as well as support, to complete your audits and SAQs as needed.
Conclusion
Businesses of any size are at risk of hackers and data breaches that could ruin all you have worked for. PCI compliance can be complicated, but if you have the right partners for payments processing and work to keep your business compliant, you can rest easy knowing that you’re protected. Continue to educate yourself about evolving standards, and show your customers you care about their safety, too. You have a duty to protect your customers’ data, and Clover is here to help.
†https://www.securitymetrics.com/blog/how-much-does-pci-compliance-cost
*https://www.varonis.com/blog/pci-compliance/
‡https://www.metacompliance.com/blog/5-damaging-consequences-of-a-data-breach/
§https://smallbiztrends.com/2017/01/how-to-protect-your-small-business-against-a-cyber-attack.html
¶ https://smallbiztrends.com/2018/12/cost-of-a-cyber-attack-small-business.html