What does PCI compliance mean for your small business?

If your small business’s payments system is not PCI compliant, you could find yourself blocked from taking card payments altogether, warns Geoff Forsyth

PCI DSS compliance can often seem like a mountain to climb for small businesses, but that needn’t be the case. With the right knowledge and the right partners, it can be understood (and achieved) without much trouble at all.

What is the PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. It is an international security standard which was set up by the biggest names in the payment card industry (Visa, MasterCard, Discover, American Express and JCB) to help businesses process card payments safely and securely, helping them to avoid credit card fraud.

The standard enforces strict guidelines regarding the processing, storage and transmission of private cardholder data.

See also: 40% of the UK’s micro businesses do not accept card payments

Who needs to be PCI DSS compliant?

All companies that take credit card payments. If you accept, store, transmit or process cardholder data then PCI DSS applies to you. It doesn’t matter how large or small your business may be, you are obliged to comply with the standard.

What is PCI DSS Compliance?

PCI DSS sets out 12 requirements that merchants need to meet if they are to comply, as follows:

► Build and maintain a secure network

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters

► Protect cardholder data

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

► Maintain a vulnerability management program

• Use and regularly update anti-virus software or program
• Develop and maintain secure systems and applications

► Implement strong access control measures

• Restrict access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data

► Regularly monitor and test networks

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

► Maintain and information security policy

• Maintain a policy that addresses information security for all personnel

These general requirements apply to every business/merchant, whether they be large or small, and irrespective of the volume of transactions that they handle.

Merchants who handle greater numbers of transactions will be required to undergo greater levels of scrutiny in order to be considered compliant, however.

See also: Five tips to get started taking card payments

What are the consequences if I don’t comply?

You may be fined for non-compliance by your acquiring bank, who ultimately may prevent you from taking card payments. In the event of a data breach, your business will be investigated, to see whether you were compliant and if so, to what extent. Once your level of compliance has been ascertained, penalties will be imposed by the credit card companies.

Penalties for non-compliance are manifold. You may face fines ranging from £3,000 to £60,000, litigation, damage to your company’s reputation and loss of business, and you may even find your company’s ability to take card payments revoked.

Put simply, it isn’t worth the risk to your business and your clients’ privacy to be slack about PCI DSS.

What are the benefits of PCI DSS Compliance?

The biggest benefit is the level of protection both you and your clients will receive. By ensuring that you maintain good compliance practices you will keep your business running securely, and you will be able to better withstand attempted attacks – giving you both the cachet associated with being a highly trusted merchant and the peace of mind that goes with knowing you’re well protected. After all, data breaches can be so costly that businesses could even fold under their pressure.

Complying with PCI DSS does also mean that you are on your way to complying with several of the details of the General Data Protection Legislation (GDPR). GDPR is the EU’s legal framework that manages the processing of personal information, and it comes with bigger teeth than even PCI DSS. With fines of up to 4 per cent of annual global turnover on the cards for those who fail to comply, it isn’t something to be taken lightly.

Who will validate my PCI DSS compliance level?

Merchants can be validated by completing a self-assessment questionnaire or by inviting a Qualified Security Assessor (QSA) in to conduct official audits. What your business will require will depend upon which level it falls into, with Level 1 merchants requiring QSA validation.

The levels are:

  • Level 1 – Merchants who process over 6 million card transactions a year
  • Level 2 – Merchants who process 1 to 6 million card transactions a year
  • Level 3 – Merchants who process 20,000 to 1 million card transactions a year
  • Level 4 – Merchants who process fewer than 20,000 card transactions a year

How is PCI DSS compliance enforced?

PCI DSS is maintained by an industry standards body called the PCI Security Standards Council and enforced by the five biggest card companies (Visa, MasterCard, American Express, Discover and JCB). Each of these companies will provide their own guidelines for reporting and validating compliance and indeed their own deadlines and punishments for non-compliance.

How can I obtain compliance if I don’t have the correct expertise in-house?

There are numerous professional companies who will be more than happy to walk you through the finer points of gaining compliance and maintaining it once you have.

Geoff Forsyth is chief information security officer at PCI Pal

Further reading

Setting up card payments for retail and online selling


Geoff Forsyth

Geoff Forsyth is chief information security officer at PCI Pal.