Accepting credit and debit cards for a business is a great way to open up revenue streams for a company. However, this doesn't come without risks. From hackers, to malware, to dishonest employees, merchants face a number of threats when it comes to the credit and debit card information they use from their customers. However, merchants need not fear when it comes to identifying safety precautions to keeping their customers financial information safe.
Known as Payment Card Industry Data Security Standard (PCI DSS), these standards were developed to help merchants, as well as those who help in processing payments like banks and merchant service providers, set up a first line of defense against unwanted data breaches. These standards were formed to provide basic security precautions by establishing policies, procedures, network and software architecture, as well as additional measures to minimize the risks of your customers financial information from being compromised. So what does a merchant actually have to do to become PCI compliant?
Depending on the amount of transactions a merchant conducts, the requirements to become PCI compliant can vary placing you on a specific level of compliance. They are:
- Level 4 - If your business does less than 20,000 eCommerce or less than 1 million physical transactions, you simply need to complete an annual risk assessment usaing an SAQ or conduct quarterly PCI scans.
- Level 3 - If your business does 20,000 - 1,000,000 transactions per year, you will need to complete an annual risk assessment using an SAQ and conduct quarterly PCI scans.
- Level 2 - If your business does 1 - 6 million transactions per year, you will need to complete an annual risk assessment using an SAQ and conduct quarterly PCI scans.
- Level 1 - If your business does in excess of 6 million transactions per year, you will need to conduct an annual internal audit and conduct quarterly PCI scans.
Even when your business becomes PCI compliant, it is still an ongoing process. However, think of it like a 3 step process in the following manner:
- Analyze for any vulnerabilities your business may have that could make it vulnerable to a data breach.
- Fix any vulnerabilities your business may identify. If needed, do not store any cardholder data unless necessary until these issues have been fixed.
- Report any vulnerabilities to your merchant services provider and card brands by submitting compliance reports and any required validation records.
Even though at times it may be overwhelming for a merchant to combat the theft of cardholder data, security standards like PCI are available to help businesses like yours. But remember that PCI compliance is not just smart but also required.