Many of my clients lately have been getting emails from Intuit about being PCI compliant.
They hear the word compliance and get scared.
So here’s a short ish guide on becoming PCI compliance.
We’re publishing a guide in a few short weeks for those of you that are super pumped about boring compliance.
What is PCI Compliance?
Major credit card brands have a vested interest in keeping your card data (and the card data of your customers) safe.
The Payment Card Industry (PCI), namely the largest credit card processors, American Express, Discover, Mastercard, Visa, etc., created the PCI Security Standards Council (PCI SSC) which created the PCI data security standards (PCI DSS) as a guide for businesses to handle credit card data.
Think of it as a set of safety “rules” to follow so you’re doing your best to guard card data.
PCI compliance involves three main components:
- Handling credit card data: How businesses handle credit card data from customers
- Storing data: How businesses store data securely
- Validating security controls: How businesses annually validate that the required security controls are in place
Do I have to follow PCI Compliance?
Techinally, PCI compliance applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers.
PCI compliance is an ongoing process, and businesses must comply with the PCI DSS or risk losing their ability to process credit card payments. Non-compliance can result in heavy fines and other consequences, such as loss of business.
By ongoing process, this means it is not a set up once and forget it kind of thing. It is designed to show your business is actively protecting card data.
How do I know how PCI compliant my business needs to be?
There are four levels of PCI compliance, based on the number of card transactions a merchant processes each year, with level 1 being the highest level of compliance and level 4 being the lowest level of compliance:
- Level 1: Merchants that process more than 6 million card transactions per year
- Level 2: Merchants that process 1 to 6 million transactions per year
- Level 3: Merchants that process 20,000 to 1 million transactions per year
- Level 4: Merchants that process fewer than 20,000 transactions per year
Most small businesses reading this are going to be Level 4.
The only validation requirements for PCI Level 4 are:
- Completion of the appropriate Self-Assessment Questionnaire (SAQ)
- Quarterly vulnerability scans of your network
- Completion of an Attestation of Compliance (AOC), which states you have complied with the data security standards (DSS).
Though the annual requirements for Level 4 may be less work without the formal audit, implementing all the PCI controls and maintaining them can still be a time-consuming process.
The questionnaire will require that you attest that you have the appropriate security policies, procedures, and tools in place based on the PCI security standard.
Action Items:
- Is your business PCI compliant?
- Determine your risk exposure of not being PCI compliant.
- If you want to become compliant, implement a solution to do so.
