Table of Contents
PCI Compliance in a Nutshell
PCI compliance, also known as the Payment Card Industry Data Security Standard, or PCI-DSS, is an important standard that major credit card companies like Visa and Mastercard have adopted to protect themselves and their merchants from the risks associated with exposed cardholder data. PCI-DSS is not the law; it’s a suggestion by the major card brands. However, much like the law, you’re subject to penalties in the form of non-compliance fees if you fail to become compliant.
Why Is PCI Compliance Important?
PCI compliance isn’t just another way for credit card companies to squeeze money from you. There are real benefits to becoming compliant apart from saving yourself from non-compliance fees. By completing the process and becoming compliant, you’ll:
- Be less prone to lawsuits related to data breaches and hacks.
- Protect yourself from fines and expensive charge-per-record fees after a breach.
- Find vulnerabilities in your system (i.e. firewalls) before they’re exploited by hackers.
- Keep your customer’s data safe.
Think of PCI compliance like an insurance policy. A compliant business will have an advantage because it took the necessary steps required to protect its customers’ data, and will reduce liability in case something goes wrong. An important note: although becoming PCI compliant will do wonders for the security of your processing, it isn’t a catch-all solution. It won’t ensure your data won’t be stolen, but it will greatly reduce the odds while also giving your business a defense in case a breach does occur. PCI compliance should be paired with other fraud-prevention initiatives to create a holistic protection plan for your business.
What are the Drawbacks to Becoming PCI Compliant?
Ultimately, there are none. Becoming PCI compliant can be time-consuming without help, but you can alleviate this by having an industry expert like Evolve Payment walk you through the process. Monthly PCI compliance scans may reveal vulnerabilities in your firewall or other system and you’re liable to fix them, but these vulnerabilities existed before the scan, so it shouldn’t be considered a drawback. At the end of the day, every merchant should become PCI compliant, and it’s not as hard as it sounds.
The Steps to Becoming PCI Compliant
1. Identify Your Self-Assessment Questionnaire (SAQ)
The self-assessment questionnaire (SAQ) is a form the merchant completes that qualifies them for PCI compliance. Determining which form to complete is the hardest part in this process, as there are numerous options based on how you accept cards.
Depending on if you use box terminals, a fully-integrated POS, an ERP system, or a virtual terminal, a different SAQ is required. The Evolve Payment team can help you determine which form is best for you. Otherwise, the PCI-DSS website has brief descriptions for each form, explaining applicability.
2. Complete the SAQ
Completing the SAQ can also be difficult without guidance and is often a discouraging step for merchants. Some SAQ questions can be misleading and hard to understand, and some questions may lead you to a different SAQ. Thankfully, there are a multitude of third-party companies that can walk you through the security process and act as a resource (Trustwave, Sysnet, and SecurityMetrics, to name a few).
At Evolve Payment, we are well-versed in the PCI compliance process, and offers a more boutique approach to the big cybersecurity companies. Another option is for your processor to offer guidance, as most of them have a PCI compliance department.
3. Send the Questionnaire to Your Processor for Submission
After completing the SAQ, your processor will submit it for approval. This is a hands-off process with a quick turnaround. Once approved, your processor will send you a certificate and send your registration data to a PCI office. Once you’ve been registered, you’re officially compliant!
4. Follow Your Quarterly Scan Reports
Merchants that are PCI compliant will receive automatic quarterly scans that look at vulnerabilities in your system. Most processing setups will require scans, with one of the only exceptions being if you’re using a standalone terminal with a dial-up connection. If you’re retail and using an ethernet connection for your terminal, for example, you’ll need a scan. Make sure to look for quarterly scan reports in your email inbox and implement any recommendations it may have.
Protect Your Cardholder Data
PCI compliance is an important insurance policy that will keep your business and your customers safe. The costs associated with card-not-present fraud topped $6 billion in 2020, and this number is on an upward trend. Because of this, PCI compliance isn’t going anywhere anytime soon, and it’s arguably more important now than ever, especially with the rise in ecommerce as a result of the pandemic. Ecommerce transactions don’t have EMV (an acronym for Europay, Mastercard, and Visa, but really just means the chip on your credit card) capabilities, so they are especially vulnerable.
Becoming PCI compliant may seem like a headache, but it doesn’t have to be. There are many resources and experts who are ready to walk you through the process and protect your business. If you’re interested in becoming compliant and want an advisor to help you, Evolve Payment will examine your business needs and processing to determine the easiest path towards compliance. Contact us today and protect your company!