Pci Compliance Requirements For Small Businesses: Your Guide

By Author: sifip
Total Articles: 686
Comment this article

You've probably heard of the Payment Card Industry Data Security Standard as a small business owner (PCI DSS). Because you process credit card transactions, you must adhere to these guidelines. However, you must also certify your PCI compliance on an annual basis.

Continue reading to learn about the compliance requirements, how to stay compliant, and how to incorporate PCI best practises into your daily operations.

What Are PCI Compliance Requirements?
PCI compliance is a set of security standards that require merchants who accept credit and debit card payments through online payment gateway to securely store, process, and transmit cardholder data. The requirements were created in response to widespread security breaches, specifically hackers stealing credit card information.

There are four compliance "levels," which are determined by the number of transactions processed by the merchant each year as well as the type of transactions processed.

What Are The 4 Compliance Levels?
The level of compliance you must maintain is determined by the size of your business and the number and type of ...
... transactions you complete each year.

PCI compliance is divided into four levels:
Level 1: Over 6 million card transactions per year
Level 2: Between 1-6 million card transactions per year
Level 3: Between 20,000 to 1 million card transactions per year
Level 4: Fewer than 20,000 card transactions per year

Because they process fewer than one million transactions per year, most small businesses are classified as Level 4 merchants. This also means that only about 20,000 of those transactions are classified as e-commerce (your customers enter transactions themselves on a website).

It is also critical to consider how you process your transactions. Merchants who process mail order/telephone, e-commerce (web), Point of Sale (POS), or a combination of these have different compliance requirements.

PCI compliance may appear daunting; there are numerous complex, technical requirements that must be met in order to secure credit card information.
Most Level 4 merchants must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance annually to certify compliance. Aside from that, you simply need to develop and implement a security policy for your company.

How To Meet PCI Compliance Requirements For Businesses
The PCI DSS is made up of 12 core requirements that are intended to protect cardholder data wherever it is transmitted or stored.

Requirements for compliance
You must do the following to be PCI compliant:

Only use a PCI Compliant Service Provider or PCI Approved Software to process credit cards.
Never keep the card security code (the three-digit number on the back of Visa/MasterCard/Discover cards or the four-digit number on the front of American Express cards) in your wallet.
Never, ever save any card's magnetic track data.
Encrypt ALL electronic storage of complete credit and debit card numbers.
When not in use, keep any paper documents containing a full credit card number in a secure location (locked file drawer/safe).
Only employees with a business need should have access to credit card information.
Never share user IDs or passwords, and never use group user accounts.
For all system access, use strong passwords (at least 7 alpha-numeric characters).
All terminated employees' access should be disabled immediately.
Secure and inspect all POS swipe devices for signs of tampering on a regular basis.
Install and activate personal firewalls and anti-virus/anti-malware software on all business computers, and disable all generic or default user accounts and passwords.
Make a security policy for your company that covers all aspects of the PCI DSS.

That's all most low-volume merchants need. A quarterly scan of your systems is also required for higher volume merchants — those who process more than 1 million transactions per year or more than 20,000 online transactions per year.

Self-Assessment Questionnaire (SAQ)
Once you've integrated a payment processing partner like the best online payment gateway into your business and written and implemented a security policy, you'll need to fill out a certification form, which is available on the PCI website.

The Self-Assessment Questionnaire A (also known as "SAQ-A") will be used by the majority of Level 4 businesses. If you process transactions over the phone, mail, or online, you are SAQ-A qualified. The SAQ-B survey is required if you process retail transactions.

Finish your survey and submit it to your merchant processing company. You have now fulfilled your annual PCI compliance obligations.

How Do I Add PCI Compliance To My Daily Operations?
Making PCI compliance requirements a core part of your business process will raise your customers' awareness of security issues and ensure your company is not the source of an unfortunate breach. Customers will know you are serious about PCI compliance if you only collect credit card information on a secure webpage.

Maintaining your business's certification and ensuring that your payment processing system is PCI compliant.

When making a phone or online payment, always request the CVV security code. This information should never be stored by your payment processing method.

Informing your customers that they should never send credit card or bank account information via email. In the footer of your emails, you can include a security notice stating that the communication is not secure and that you should not reply with account numbers or other sensitive personal information.