person holding credit card while shopping online via laptop
The level of strictness of PCI compliance that your business is obligated to follow is dependent on which of the four levels your business falls into. — Getty Images/filadendron

Payment card industry, or PCI, is made up of major credit card brands like MasterCard, Discover, American Express, and Visa that set the security standards for any business that deals with credit card information.

PCI compliance, therefore, refers to the practice of adhering to the Payment Card Industry Data Security Standards (PCI DSS). These standards are meant to protect consumers’ credit card data from being stolen.

In addition to being good for your consumers, PCI compliance is required by most merchant account providers. Businesses of all sizes must be PCI compliant, or they risk fees and penalties. Here’s how to make sure your business is PCI compliant.

[Read more: 12 Common Credit Card Processing Terms]

The four levels of PCI compliance

One reason why merchants struggle to ensure they are PCI compliant is because there are four levels of compliance, each with different standards. The four levels are set based on how many payment card transactions a business handles each year.

  • Level one: businesses that process more than six million e-commerce transactions each year.
  • Level two: businesses that process one million to six million e-commerce transactions each year.
  • Level three: businesses that process 20,000 to one million e-commerce transactions a year.
  • Level four: businesses that process less than 20,000 e-commerce transactions per year, or less than 1,000,000 transactions annually from all sales channels (e.g., e-commerce and retail).

If you’re not sure what level your business falls into, your point-of-sale (POS) reports may be able to tell you. “All credit card transaction volumes your organization processes are aggregated across multiple channels (i.e. in-store retail point-of-sale terminals and online payment gateways) and summed up to determine an appropriate PCI compliance level,” explained BigCommerce.

Businesses that meet the level one threshold have more stringent PCI compliance requirements to meet than businesses in level four. While this article will address the requirements for businesses in level four, it’s worth knowing that any business, regardless of the number of your annual transactions, can be moved into level one if you suffer a data breach.

[Read more: A Quick Guide to Data Management, Protection and Storage]

One of the easiest ways to ensure PCI compliance is to use a modern POS system.

The 12 PCI DSS Requirements

The official PCI DSS Quick Reference Guide lays out 12 requirements that businesses should follow to keep customer data safe.

  1. Install a firewall to protect cardholder data.
  2. Do not use vendor-supplied defaults for passwords and other security parameters.
  3. Encrypt any cardholder data that’s transmitted across open, public networks.
  4. Store cardholder data securely.
  5. Regularly update antivirus programs and malware protection.
  6. Maintain secure systems and applications.
  7. Restrict access to cardholder data only to those who need it in your business.
  8. Restrict physical access to cardholder data (e.g., device access).
  9. Require users to log in or authenticate to access system components.
  10. Track and monitor access to network resources and cardholder data.
  11. Test security systems regularly.
  12. Create and regularly update an information security policy.

These are relatively broad requirements, but they do have specific implications. For instance, make sure you’re using and regularly updating strong passwords (“12345” is an example of a weak password). Add firewall protection to your network and computers; and make sure your in-store wireless router is password protected.

One of the easiest ways to ensure PCI compliance is to use a modern POS system. “Modern payment processing systems use tokenization and encryption to protect this data when a sale is processed,” explained Merchant Maverick. “There’s never a good reason for you to store this information digitally — either on your hard drive or your website’s server. This goes double for physically storing credit card information. Never write down a customer’s credit card number, expiration date, or CVV unless it’s absolutely necessary.”

How to get started with PCI compliance

Not sure if your business is 100% PCI compliant? You can achieve greater security for your customer data in three steps.

First, audit the cardholder data you currently collect, inventory your IT assets and assess what processes you currently have in place to collect customer information. Analyze these elements of your business operations for any vulnerabilities that a hacker could exploit to steal cardholder data.

Next, take action to address those vulnerabilities. This could include upgrading the security on your e-commerce site, or moving away from storing cardholder data at all. Unless you’re using some kind of recurring billing system, there’s no need to keep cardholder data on file. Loyalty programs can be run simply through using someone’s email or transaction history, which doesn’t require storing PIN numbers and card numbers.

Lastly, submit your compliance reports to the bank or card brands with which you do business (e.g., Visa, MasterCard, American Express, or Discover). This will help you avoid any penalties or fees that can quickly add up by not maintaining PCI compliance.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

Follow us on Instagram for more expert tips & business owners stories.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.


Connect with vendors who can meet your needs

Answer a few questions to tell us more about what you're looking for, and we'll help you reach vendors who can provide you with more information, pricing, and products.


Published