If you're a business owner who's just getting started with accepting credit cards, you might be feeling overwhelmed by a PCI questionnaire, irritated about PCI Compliance and PCI Non-Compliance Fees, or just confused about why you need to worry about PCI in the first place. There's no doubt that PCI can get a bad rep, especially if you don't know why you need to be compliant or how PCI is designed to help protect your customers and your business.
To give you some more context around PCI and why it's important, we answer the biggest questions surrounding PCI in this ultimate guide.
What is PCI Compliance?
PCI is a set of standards designed to ensure that credit card information is captured, retained, and transmitted in a secure way.
In other words, it is a set of rules to reduce the risk of fraudsters, hackers, and thieves from stealing sensitive card information. PCI Compliance is mandated by the major card brands (Visa, Mastercard, American Express, etc.).
What Does PCI DSS Stand For?
PCI is short for PCI DSS and stands for Payment Card Industry Data Security Standard.
Who/What Does PCI Compliance Apply to?
PCI Compliance rules apply to all payment processors, service providers, and merchants. Even smaller merchants using a mobile app at pop-up shops on the weekend are required to meet PCI standards. PCI is the world's largest security standard, as it applies to millions of merchants, processors, ATM companies, and other service providers worldwide.
How Do I Know If I'm Not Being PCI Compliant?
As a business owner, asking yourself questions about how you treat customer information can help you discover your current level of PCI compliance. Questions like:
Are we storing credit card numbers? If so, where and how? Do we train our staff in handling sensitive data? Do we have anti-virus software on all our computers?
All of these can help point toward whether or not your business is currently complying with PCI standards. If something seems amiss, or unsecure, double check that your business's policy is in line with what PCI standards have to say.
Real World Example:
Writing down a customer's credit card number and expiry on a sticky note can seem like a good idea if you need to charge them later. Same with keeping their card info in a spreadsheet if they want to be charged monthly for a subscription you offer, but both of these instances are not PCI compliant. Instead, you should use a credit card vault offered by your payment processor.
My Payment Processor is Compliant, Does That Mean I am Too?
The short answer is no. While all payment service providers are required to be PCI-DSS Level 1 compliant, merchants are still responsible for the security scope of their own business environment.
A virus-infected computer or a dishonest staff member is all it takes for someone to steal credit card numbers from your business. We recommend that merchants use as many compliant services as possible to help shift the scope of responsibility from their business.
These include using your payment provider's credit card vault, using card readers and terminals that offer end-to-end encryption (E2EE), using hosted payment pages and .js payment plugins, and whatever other tools are available to shift your PCI liability over to your payment provider. But even with a reduced security scope, if you're accepting credit cards, you still need to complete a basic self-assessment questionnaire (SAQ) once per year, confirming that your business is PCI compliant.
How Can I Become PCI Compliant?
Most payment processors provide a pathway to help their merchants to become PCI compliant. Often, this involves giving their merchants login access to a third-party PCI manager portal, which allows them to complete a once-per-year self-assessment questionnaire (SAQ) and receive their PCI certificate.
However, some payment processors have chosen to turn a blind eye to the compliance of their merchants. This is especially common with some of the payment facilitators who deal with small merchants. The down-side of this approach is that it can put merchants at greater risk for a data breach and expose them to more liability if a breach were to occur. In the event of a breach "“ such as a merchant's computer being stolen and credit card numbers being lost or compromised, or a dishonest staff member steals credit card numbers "“ then no protection would be offered to the merchant. The fines levied against the merchant for the breach could be crippling, especially to a small business.
Helping small businesses become PCI compliant can be somewhat cumbersome and expensive. As many processors don't discuss PCI openly and honestly with their merchants, many merchants don't properly understand PCI. It takes time and energy to educate merchants on PCI and develop resources, which is likely why some processors prefer to ignore it. But the consequences of not being compliant ultimately fall on the merchant. Choosing a processor that is willing to explain PCI and help you become compliant will help put your business in a safer place in terms of prevention and liability.
What's the Deal With PCI Fees?
A lot of payment processors charge merchants what's known as PCI Compliance or Non-Compliance fees. Compliance fees are often justified by processors as costs associated with making the PCI compliance process easier for merchants (although this is not always the case).
PCI non-compliance fees are the more tricky ones and may vary depending on who your payment processor is, but these are meant to penalize merchants for not being compliant. Basically, think of it like a parking violation or late fee from the movie rental place (remember those?). Processors may issue the fee as a flat rate fee or as a percent of your processing volume. How a processor applies the fee can result in a large variance in what they are charging, and if your processor isn't transparent about how and what they're charging you, you can end up paying a lot in PCI non-compliance when what they probably should have done is just made sure you were compliant in the first place.
"The bottom line with PCI fees is that they don't need to cost merchants money."
The bottom line with PCI fees is that they don't need to cost merchants money. You can stay compliant all on your own by completing the SAQ once a year. The fees merchants get charged by a lot of processors are unnecessary, and just a way to nickel and dime merchants who don't understand why they're being charged the additional fees. Ideally, you want to find a processor that doesn't charge you a compliance fee or a fee for being non-compliant, but instead simply ensures you stay compliant and makes it as easy as possible for you to do so.
PCI is an important standard to comply with if your company accepts credit card payments. It protects you from the legal liability of losing sensitive information in the chance of a data breach, and although it can seem daunting at first, PCI is actually easier than you might think. When choosing a processor, consider how PCI fees work into their fee structure, and keep on the lookout for one that's transparent about how they do PCI, and ideally doesn't charge you unnecessary fees.