Perhaps you’ve noticed a PCI fee on your businesses’ monthly merchant statement.
Or your IT guy has mentioned, “You know, we really need to get PCI compliant.”
Or perhaps you’ve seen a PCI questionnaire with HUNDREDS of questions, and wondered how you’re going to get through it, while providing accurate information.
Whatever your situation may be, PCI compliance needs to be taken seriously by any business that accepts credit, debit or online payments for their business. This article will provide you with the basic information to understand:
- What is PCI Compliance?
- What are the risks of NOT being PCI Compliant?
- The different typesof PCI Compliance
- How to get through PCI Compliance quickly
What is PCI Compliance?
PCI stands for Payment Card Industry. The information security standard for businesses that accept credit & debit cards for payment is called PCI DSS – Payment Card Industry Data Security Standard. This standard was created in an attempt to reduce fraud and, by most counts, it has been successful in doing just that.
To become PCI compliant, most companies receive a Self-Assessment Questionnaire from the merchant processing company that they work with. This questionnaire is typically referred to as a SAQ. There are 8 different types of SAQs that we’ll expand on later in this article. Upon completing the SAQ, as well as any related scans & tests, a company gets the PCI DSS seal of approval. In other words, they become PCI Compliant.
All businesses that accept credit, debit or ecommerce orders are subject to PCI DSS standards and therefore MUST be PCI Compliant.
You may be thinking, “OK so it’s all about reducing fraud and my company must answer a long questionnaire. But what happens if my business doesn’t become PCI Compliant? Is it illegal?”
What are the risks of NOT being PCI Compliant?
Being PCI compliant is not a matter of law. You are NOT breaking the law by not being PCI Compliant. However, you will definitely be subject to fines, and you may lose the ability to accept debit and credit cards.
Although fines are not published or reported, banks typically pass the fines along as increased transaction fees. Fines typically vary from $5,000 to $100,000 per month until you become PCI Compliant.
Also, at any time, the bank can shut down your ability to accept debit and credit cards.
Think about the impact that would have on your business. It’s a risk you need to think about.
Yup, they can shut you down.
Who’s “they”?
Although the PCI DSS requirements are developed and maintained by an industry standards body called the PCI Security Standards Council (SSC), the standards are enforced by the five payment card brands:
Visa, MasterCard, American Express, JCB International and Discover.
In other words, if you are not PCI Compliant, you have 2 risks:
- You’ll pay more in fees
Sometimes these are flat fees (ex. $50 per month) and sometimes they built into the transaction fees. Or you could pay both a flat fee AND higher transaction fees.
- You could lose your ability to accept credit & debit cards
Yes, this really could happen. And only you know what risk this is for your business. What would you do if you could no longer accept card payments? Do you have a backup plan?
The different TYPES of PCI Compliance
There are 8 different types of Self-Assessment Questionnaire (SAQ). The SAQ that your company is required to fill out depends upon the type of transactions that you accept including credit, debit and/or eCommerce.
SAQ Type | Description | # of Questions | Vulnerability Scan Required? | Penetration Test Required? |
A | Ecommerce web sites (3rd party) Examples: Shopify, BigCommerce, Magento | 22 | N | N |
A-EP | Ecommerce website (direct post) Example: your ecommerce site built on the WooCommerce platform |
191 | Y | Y |
B | Traditional card processing (non-integrated) Examples: stand-alone terminal, carbon copy | 41 | N | N |
B-IP | Internet-Based Terminal Processing NOT integrated with other devices on your network. |
82 | Y | N |
C-VT | Manual Card Entry on a Virtual Terminal Does NOT include card swipe. |
79 | N | N |
C | Payment systems that are connected to the Internet, and also meet the following criteria: – Virtual terminal with tokenization – IP terminal that IS part of your network – Mobile devices (smartphone, tablet) with a card processing app or swipe – Cardholder data is managed via the Internet – POS (point of sale) with tokenization |
160 | Y | N |
D | Ecommerce Website Custom site with integrated payments -and/or- Electronic Storage of Card Data – POS system that does not use tokenization – Card data stored electronically via email, fax or recorded calls. |
329 | Y | Y |
P2PE | Point-To-Point Encryption Includes validated PCI P2PE hardware payment terminal solutions only. |
33 | N | N |
As you can see, PCI can get complex. And just wait until you see the types of questions you’ll be asked. They range from how you keep cardholder data safe to anti-virus software to security procedures. See the example below of just a few questions you may be asked during the SAQ.
Are you comfortable with what is meant by terms such as “physically secured”, “strict control” and “external distribution”? There are specific meanings for each of these terms.
How do I get through PCI Compliance quickly?
If the thought of “going it alone” through PCI Compliance seems daunting, that is very understandable. Thousands of businesses have the same concern.
The good news is that you can get help, and it doesn’t cost an arm and a leg.
Centerlogic has helped hundreds of companies pass PCI compliance over the past 23 years, and they can help you too. To get started, you can download a Free PCI Checklist now.
Depending on your business, we can typically help you get PCI Compliant within a few weeks, and sometimes within a few business days. Let’s get started.