by Lance Walley
[UPDATE] This blog was originally posted by Chargify in 2010. PCI changes took place in 2015, which we’ve outlined in an updated blog post. Check out our blog post “What You Need To Know About PCI” for information regarding the 2015 PCI compliance changes and what it means for your business.
To learn more about Chargify as a PCI Service Provider Level 1 and the data security we provide for you and your subscribers, please view our “Secure Recurring Billing Software” page.
Original 2010 blog post:
Since 2006, more and more small business owners have been focusing on PCI compliance. If your business accepts credit card payments, you need to be concerned about it, too. In addition to there being penalties for non-compliance, there are actually sound, common-sense, self-interested reasons to comply voluntarily.
However, like many new requirements, there is plenty of confusion surrounding this one. That’s why today, we’re taking a few moments to explain the basics of what PCI compliance is and what small business owners need to know.
What Is PCI All About?
Also known by its full name of Payment Card Industry Data Security Standard (or PCI DSS), PCI is simply a series of requirements mandating that all merchants process, store and transmit credit card data within a secure environment. It applies to any business that possesses a Merchant ID.
The initiative was launched in September 2006 to help strengthen account security throughout each step of the credit card transaction process. The PCI DSS is managed by an independent body called the PCI Security Standards Council (PCI SSC), which consists of representative from major card brands like Visa, MasterCard, AMEX and Discover.
As PracticalCommerce.com explains, PCI compliance requires your business to:
- Maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor/test your networks
- Develop and maintain an information security policy
Does PCI Apply To My Business?
In a word: everyone. There’s no wriggling out of PCI compliance. Any organization or merchant, no matter how big or small (or how many transactions they process) that accepts, transmits or stores any cardholder data whatsoever must come into compliance with the PCI standards discussed above.
When in doubt, err on the side of compliance rather than non-compliance. If even a single customer of your business pays you directly using credit or debit cards, you are legally expected and required to comply. It’s that simple.
When Are The PCI Compliance Deadlines?
As noted, PCI was launched back in 2006. That means compliance deadlines have passed and all merchants meeting the description above must already be in compliance.
That said, depending on which merchant level you fall into (more on that below) there may be specific requirements or deadlines unique to you. Your merchant bank is the the definitive source of information on this.
They are the ones who enforce the pertinent deadlines and can clarify any lingering uncertainty about whether you’ve complied on time.
How Are PCI Compliance Levels Determined?
Merchants are grouped by PCI into one of four different levels depending on transaction volume over twelve months. As PCI Compliance Guide explains, the merchant levels are decided as follows:
- Level 1: Any merchant processing over six million Visa transactions per year.
- Level 2: Any merchant processing one to six million Visa transactions per year.
- Level 3: Any merchant processing 20,000 to one million Visa transactions per year.
- Level 4: Any merchant processing 20,000 or fewer Visa e-commerce transactions per year
As one might expect, each successively higher level involves more (and stricter) data security requirements requirements. A neighborhood deli processing 15,000 orders a year will have an easier time complying than a Fortune 500 insurance company processing that many payments every day.
Do Each Of My Stores Need To Comply Separately?
A common question from small business owners who run multiple stores is whether each one needs to comply individually. The idea of having regulators or compliance offers visiting each and every one of your stores is certainly not exciting, but luckily (in most cases) it is not necessary.
Provided each of your stores operate and process credit card orders using the same Taxpayer ID (or EIN) you are only expected to validate for compliance once per year. All of your locations are generally covered by this.
The only other potential requirement involves passing quarterly network scans by PCI SSC Approved Scanning Vendors. But, again, this would usually not be done for each separate store.
Are There Any Penalties For Failing To Comply With PCI?
Make no mistake: complying with PCI standards is not optional. Merchants discovered to be out of compliance can be hit with serious fines: as much as $5,000-$100,000 per month, at the sole discretion of the payment brand. Nor is that the worst of it.
Consistent or defiant violators risk having their transaction fees increased or, in the worst case scenario, seeing their merchant relationship terminated entirely. Depending on the size and overall health of your small business, being handed one of these fines could mean a mild annoyance, a major problem or total bankruptcy.
Consult your merchant account agreement for further clarification on what your exposure to non-compliance penalties is.
Where Can I Learn More About PCI?
PCI compliance is a thorny issue, and it’s understandable that you may have further questions. For this, we confidently recommend that you check out PCI SSC and its exhaustive rundown of PCI FAQ’s. In addition to the answers provided in this article, PCI Compliance Guide goes into technical detail on questions about credit card receipts, exact definitions of “cardholder data”, network vulnerability scans and more.