If you’re brand new to accepting credit cards, you’re probably new to PCI compliance as well.
You might be feeling overwhelmed by the questionnaire, irritated at PCI Compliance and PCI Non-Compliance Fees, or just confused about why you need to worry about this in the first place. There’s no doubt that PCI can get a bad rap, especially if you don’t know why you need to be compliant or how PCI is designed to help protect your customers and your business.
If you’re just getting started with PCI, we recommend that you check out our article on What is PCI Compliance to learn more about why the Payment Card Industry Security Standards Council (PCI SCC) sets and updates the PCI standards and how PCI can help you avoid a data breach and losing credit card numbers.
So, How Do You Become PCI Compliant?
Most payment processors provide a pathway to help their merchants to become PCI compliant. Often, this involves giving their merchants login access to a third-party PCI manager portal, which allows them to complete a once-per-year self-assessment questionnaire (SAQ) and receive their PCI certificate. The questionnaires can be a bit clunky sometimes, but by successfully completing the SAQ and confirming their compliance, most PCI compliance programs typically offer some data breach insurance coverage, usually between $20,000 to $100,000 in protection from penalties associated with losing full credit card numbers if a breach were to occur.
However, some payment processors have chosen to turn a blind eye to the compliance of their merchants. This is especially common with some of the payment facilitators who deal with small merchants. The down-side of this approach is that it can put merchants at greater risk for a data breach and expose them to more liability if a breach were to occur. In the event of a breach - such as a merchant’s computer being stolen and credit card numbers being lost or compromised, or a dishonest staff member steals credit card numbers - then no protection would be offered to the merchant. The fines levied against the merchant for the breach could be crippling, especially to a small business.
Helping small businesses become PCI compliant can be somewhat cumbersome and expensive. As many processors don’t discuss PCI openly and honestly with their merchants, many merchants don’t properly understand PCI. It takes time and energy to educate merchants on PCI and develop resources, which is likely why some processors prefer to ignore it. But the consequences of not being compliant ultimately fall on the merchant. Choosing a processor that is willing to explain PCI and help you become compliant will help put your business in a safer place in terms of prevention and liability.