Do I need to be PCI compliant?
You’ve just made the decision that you want to start an online business. You’re going to sell products on the internet which also means that you need to find the best payment methods, but you’re not sure what are the requirements for merchants.
Today we’ll answer one of the burning questions: Do I need to be PCI compliant?
In general, PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council.
One of the main problems with PCI DSS for merchants is that it’s an extremely technical subject, so they understand barely anything when they try to get more information about the requirements and security standards.
The good news? We’re here to help.
First: What is PCI compliance?
In short, PCI DSS is a set of regulations created by major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB. This scheme requires organizations to comply with 12 general data security requirements that every merchant needs to follow. There are also over 200 sub-requirements, but not all of them may be applicable to you. It depends on your business.
Here are the 12 main PCI DSS requirements that merchants must meet:
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
|Maintain an Information Security Policy||
Note that general requirements apply to all merchants, regardless of their size or volume of transactions.
What’s more, there are four different levels of compliance and each one comes with the requirements for merchants. It all depends on the transaction volume they process annually. Generally speaking, merchants under level 4 process the smallest amount of transactions per year ($20,000) and those under level 1 — the highest (over 6 million in transactions annually).
Depending on how the merchant is going to process, store or transmit card data, they need to fill in multiple Self Assessment Questionnaires (SAQ). The main difference between the levels is that, for example, level 4 comes with a self-assessment only, while level 1 certification requires an audit processed by a Qualified Security Assessor (QSA).
Even though PCI DSS is not part of any law, this is an internationally-used set of regulations which comes with significant penalties and costs for organizations that don’t apply to the requirements.
What if I am not PCI compliant?
Being out of compliance can lead to serious security incidents so to avoid the risk of data breaches that could highly damage your brand – it’s better to comply with PCI standards.
There are also other reasons.
You need to know that every breach comes with more checking and validating your business to find out if you’re PCI compliant. Keep in mind that non-compliant companies face heavy fines as a consequence. Consumer fraud resulting from data breaches comes with losses incurred by issuing banks, so a company that doesn’t protect payment card information well enough needs to pay the estimated losses.
Strictly speaking, if you’re into selling online without being PCI compliant, you need to prepare not only for the potential security risks, but also for penalties, such as monthly fines that could even reach $100,000. The fine amount depends on a company’s transaction volume, the number of PCI DSS requirements violated, etc. And you will need to pay it until you address the issue.
Also remember that data breaches and other security consequences could result in a loss of brand reputation, as well as losing customers.
And, without a doubt, the data breach could be devastating for your business. You could even lose the right to accept payment cards. Then, all the consequences can lead to going out of business.
Is that what you want?
What’s more, companies need to provide their acquiring bank with ongoing information and prove their ability to prevent data breaches. If they don’t meet these conditions, they can lose their ability to process card payments.
Getting compliance on your own is not the easiest task and it takes weeks. In short, you need to submit the application and prepare for the long and expensive process. Each level comes with filling in the self-assessment questionnaire and the whole procedure is getting much more complicated for the highest level (Level 1).
That’s why most of the merchants prefer to work with payment providers that cover all the PCI issues so they don’t even have to think about it.
Staying out of the scope of PCI compliance (is that possible?)
As you can see, going under PCI requirements could lead to a wide range of struggles for merchants – but it is possible to leave all the paperwork to someone else.
The good news is that you can choose a payment provider, which complies with the PCI DSS, and which can process, store or transmit card data, so you can avoid the whole struggle with PCI. This means that the payment company you work with processes the payments itself, so your website doesn’t touch customer’s cards details. They take all the PCI burden themselves.
To stay assured that PCI compliance is handled properly and that both yours and your customers’ data is safeguarded against potential breaches, pick a payment provider that meet all the PCI Level 1 compliance standards — the highest PCI level with the strictest requirements.
When you choose a payment gateway, such as SecurionPay, you can be sure that your payments will be highly secure and processed under PCI requirements without any extra costs.
There are no hidden or additional fees so you always know how much you will pay from the very start. You know for certain that both you and your customers are fully protected, as each transaction is encrypted and the data is tokenized.
Leave it to us and let us deal with the banks on your behalf. All sensitive data is handled by us, so you’re staying out of the scope of PCI compliance.
A huge relief, don’t you think?
To sum up, PCI DSS standards apply to all types of companies that ask for credit card information. The main goal of the compliance is to protect the privacy and security of sensitive card data by delivering recommendations on how to secure online business.
Remember that PCI compliance is not dictated by the volume of transactions, each merchant is responsible for their customer base. All in all, you can find a payment provider that knows how to handle all kinds of data and takes all the PCI burden on themselves.
Fortunately, SecurionPay has you covered.
Want to add something? Go ahead, leave a comment!
Latest posts by Sandra Wróbel-Konior (see all)
- 3D Secure 2.0 specification in a nutshell - November 27, 2017
- Things you wanted to know about PSD2 - November 9, 2017
- PCI SSC Europe Community Meeting 2017 Afterthoughts - November 3, 2017