PCI compliance for small businesses: What you need to now
As a small business owner or operator, you have plenty on your mind - tracking and paying taxes, managing profits and losses, building and growing your product, maintaining the cash flow you need, protecting your business’s legal needs, and much more. In the flurry of regulations and best practices, PCI compliance often falls through the cracks, but this can be a costly mistake.
Chances are that your small business needs to be PCI compliant, but where do you begin? Consider this to be your crash course in PCI compliance for your small business.
What is PCI compliance? A brief introduction
Before we dive in, let’s make sure everyone is on the same page. PCI compliance refers to complying with the PCI DSS: the payment card industry data security standard. This is a set of 12 security measures you need to take to protect customers’ payment data when they make purchases with your business.
Do small businesses need PCI compliance?
There is a common misconception that some businesses are too small to need PCI compliance, but that isn’t the case. No business is too small for PCI compliance. It’s a matter of how your customers pay you.
Any company or individual that collects, processes, transmits, or stores payment data needs to be PCI compliant. In other words, if cardholder data passes through your system or your servers (including cloud servers) at any point, you need to follow the PCI standards. This includes businesses that implement third-party payment processing solutions like Stripe and Paypal.
Why does my business need PCI compliance?
PCI compliance can be a complicated, tricky, and expensive process, but it will seem like a cakewalk compared to the potential consequences of ignoring the PCI DSS.
At the most basic level, you want to be PCI compliant to avoid penalty fines. PCI compliance is collectively enforced by the major financial institutions in the payment card industry, like Visa, JP Morgan Chase, and other financial organizations. These institutions can impose serious fines of $5,000 to $100,000 per month on businesses until they reach compliance.
These organizations can also impose other penalties. If your business has a data breach as a result of your non-compliance, they can issue PCI compliance fines for small business breaches and specific incidents. They can also impose other penalties, like raising your transaction fees when you process payments from customers who use their cards or even refusing to do business with you altogether.
As daunting as those consequences can be, the most expensive consequence of skipping PCI compliance is a data breach. These standards are designed to protect cardholder data and secure you against data breaches. If you aren’t abiding by those security protocols and a breach happens, you can lose untold amounts of money in customer reimbursements, not to mention lost business because you’ve broken the trust that customers had in you.
What is the PCI compliance process for small businesses?
The process of becoming PCI compliant can vary from one business to the next. Reaching compliance will depend on the security measures you already have in place - you might only need to check a few tasks off your to-do list to reach compliance or you may need large-scale changes to your system.
Once you have satisfied all 12 requirements listed in the PCI DSS, you’ll need to verify your PCI compliance. For businesses that process 6 million transactions or more per year, that verification process involves hiring a third-party auditor to assess your system and perform an on-site investigation to ensure that you meet all the compliance criteria.
For businesses that process less than 6 million transactions per year (that is, most small businesses), verification is much simpler. You’ll need to complete a Self-Assessment Questionnaire (SAQ) to examine your compliance and you’ll need to sign an Attestation of Compliance (AoC). To verify your compliance with PCI for your small merchant’s website, you’ll submit those two documents along with any supporting documentation that your SAQ requires. This often includes a third-party vulnerability scan of your system.
Where do I begin with PCI compliance for my small business?
PCI compliance might feel like a daunting task ahead, but it doesn’t have to be. You can streamline the process if you know how to start on the right foot.
Try beginning with a PCI compliance software tool. This tool is specially designed to evaluate your PCI compliance. It goes through an in-depth scan of your system to determine which requirements you meet and which ones you don’t. The software gives you a detailed report of those requirements so you know exactly what needs to be done for your business to reach compliance.
From here, you can start addressing each of those missing pieces one by one. This could mean hiring contractors or engineers to put certain security measures in place so it may still be an expensive process, but a compliance platform will save you the time of doing your own examination and hoping you’ve covered all your bases.
More on PCI
Do Companies That Use Shopify Need to be PCI Compliant?
FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.
The compliance news you need. Delivered securely to your inbox.