pixel

March 18, 2021

PCI Compliance for Small Businesses

PCI Compliance for Small Businesses

Chances are you’ve heard about PCI Compliance—and if you haven’t, you’re certainly aware of criminals targeting businesses to steal sensitive credit card data. Safeguarding your business and your valued customers from this kind of fraud is critical, but many merchants aren’t entirely sure what to do. 

For this article, we spoke to EPI’s PCI DSS Merchant Compliance Program Administrator, Susan Shapira, to break down what you need to know about PCI Compliance and how to protect both your business and your customers.

What is PCI Compliance

PCI (Payment Card Industry) Compliance is a set of requirements intended to ensure all businesses that process, store, or transmit credit card information maintain a secure data environment. 

Being PCI compliant means consistently adhering to a set of guidelines set forth by the Payment Card Industry Security Standards Council® (PCI SSC), an organization formed in 2006 for the purpose of maintaining credit card security. 

The Payment Card Industry Data Security Standard (PCI DSS) is the series of regulations and protocols businesses must follow to stay compliant and help prevent fraudulent transactions and data breaches. 

Why PCI Compliance Matters

1. You can’t process card transactions without being compliant

While PCI DSS is not a U.S. law, all major credit card brands and banks that process payments require compliance. For many merchants, PCI Compliance is also part of their contractual relationship with credit card brands.

2. Non-compliance makes data breaches more likely — and more costly

Compliance standards exist to prevent data breaches. If you aren’t following the requirements, your business is much more vulnerable to data breaches, fraudulent activity, and chargebacks. The long-term consequences of these can be serious and detrimental to your business.

If a data breach occurs and you’re not PCI compliant, you could experience some or all of the following:

  • Expensive fines and/or penalties
  • Loss of merchant account and the ability to accept cards as payment
  • Costly audits
  • Irreparable brand damage
  • Diminished sales and loss of wages

3. Compliance benefits your business

  • If your systems are secure, your customers can trust you with their sensitive payment card information. Trust leads to customer confidence and repeat business.
  • Better compliance means better relationships with merchant acquirers and payment card brands — the partners your business needs to thrive!
  • Being compliant means you’re contributing to a global payment card data security solution, making transactions safer for everyone.

Best Practices for Compliance

“Most equipment that is deployed today is PCI DSS compliant, so understanding the importance of securely accepting credit cards is the most critical action for merchants,” says Shapira. “Education is the best tool we have to ensure that our merchants understand and maintain their PCI DSS Compliance.”

EPI’s Compliance Program offers the following advice for staying compliant:

  • Use dedicated networks/WiFi and/or firewalls
  • Use individual passwords
  • Store credit card receipts and reports securely
  • Destroy receipts and reports when they are no longer needed 
  • Do not store CVVs or PINs 
  • Educate your team on secure credit card acceptance

Measure Compliance with the SAQ

The PCI Self-Assessment Questionnaire (SAQ) is a merchant’s documented statement of compliance with PCI security standard requirements. An SAQ is a way to demonstrate that, as a merchant, you have security measures in place to keep cardholder’s sensitive data secure at your place of business. 

SAQs vary according to business type (PCI level) and the processing equipment you use. While your merchant services provider can help you determine which type of questionnaire is required and assist you in completing it, we’ve outlined the basic requirements below.

Equipment requirements

The specific technology you use to process payments will determine the exact version of the assessment that applies to you:

  • Internet-connected POS devices → SAQC
  • Internet Terminal → SAQB-IP
  • Dial Terminal → SAAQB
  • Gateway → SAQA or A-EP

PCI levels

There are four PCI Compliance levels for businesses based on payment card transaction volumes over a 12-month period. EPI merchants nearly always fall into PCI Levels 3 and 4 (with 4 being the most common).

  • If you process under 20,000 transactions per year, you are a Level 3 business and only need to complete the free SAQ for compliance.
  • If you process between 20,000 and one million transactions per year, you are a Level 3 business. In addition to completing the SAQ, you’ll need a third party Approved Scanning Vendor (ASV) to scan your network for vulnerabilities on a quarterly basis and complete an attestation compliance form (AOC). EPI can help connect you with an ASV partner.

Start your SAQ

Our free SAQ Wizard makes compliance easy:

  • Visit pcicompliance.info
  • Click on “Get Compliant” 
  • Complete the SAQ in just 15 minutes! 

“If you don’t have a full understanding of how you’re accepting credit cards currently, some of the questions in the SAQ may be hard to answer,” says Shapira. “If you need help, just call us! We regularly work with merchants to understand how they need to accept and protect their cardholder information.”

Make Compliance Easy with the Right Partner

“Recently, we had a merchant that received a Common Point of Purchase violation from Visa,” says Shapira. “He was overwhelmed and not sure how to proceed. We explained the process, enrolled him with a 3rd party ASV, and I worked with him to set up the vulnerability scan, which he passed. We worked with him and his IT person to complete the AOC and his Visa Incident Report and sent all documentation to Visa. For the merchant, the situation went from overwhelming to easy.”

PCI compliance is important, but it isn’t stressful with the right support. Here’s how EPI helps with compliance:

  • Our tech has you covered: EPI merchants have access to secure credit card processing through our POS systems, Terminals, and Gateways — all of which are up-to-date with the latest PCI DSS requirements. Check out Exatouch® POS and the ProCharge® platform to learn more about these products.
  • Our support team has your back: Our team of PCI experts is on hand to offer live help to all our merchants. We can help access and complete the (free) Self-Assessment Questionnaire, answer ongoing questions about security requirements, and explain how to implement updates when they arise.

Ready to get started? Stop by our PCI Compliance site to access resources, including the free SAQ Wizard.