9 Questions Answered on Small Business and PCI Compliance

If you have been in business for very long, there is a good chance you are at least vaguely familiar with the term, PCI Compliance.

You are probably have some idea that PCI Compliance has to do with credit cards and security, but what does it really mean and how does PCI compliance affect your small business?

Although PCI Compliance is not a sexy topic, it’s vitally important and we at BizzGrizz want to help you small business business profit.

So, much like pulling a band aid off, let’s make this quick, cover the very basics that you need to know, and get it over with:

1) “What is PCI Compliance?”

Payment Card Industry Data Security Standards was created as a set of rules for all businesses that accept credit cards to protect the card holder’s data they are processing.  Essentially, the card brands want to ensure that businesses are accepting cards in a secure manner and are ultimately liable for any breaches.  Possible card holder information leaks range from employee theft of one customer’s card information all the way up to computer viruses in POS systems, and even processor hacks, such as the 2008 Heartland Payment Systems compromise of millions of transactions.  The Standards are set as a way to minimize these risks.

2) “As a Small Business Owner, Do I Have to Remain PCI Compliant?”

Yes, whether we like it or not, all small businesses are contractually obligated to not only be PCI compliant, but also be certified as such.  The ‘big four’ are very serious about this, and pushing all the processors to get their customers compliant.  As an agent, it’s my job to inform and help my customers with this mandatory regulation.

3) “What if My Business Just Ignores the PCI Requirements?”

Well, unfortunately many businesses do and it’s an unnecessary and severe risk to the health of a business as well as an added expense.  Most ISO’s (independent sales organizations) are going to assess a business a $20 or more monthly penalty to offset the risk for being non-compliant but that’s minimal compared to where the real cost lies. The goal of meeting the standards in the first place is to identify and minimize the risk of an expensive compromise of sensitive customer information.  Any breach of data can be catastrophic to a business.  If this happens to a non-compliant business, fines range up to $500,000 and would certainly be the DEATH of most businesses.

4)  “So What Does it Mean for my Business to be PCI Compliant?”

A business that accepts credit cards must be certified compliant.  The PCI Security Standards Council has approved more than 130 Approved Scanning Vendors (ASVs).  These approved companies assist businesses with a Self Answer Questionnaire (SAQ) and also a network security scan for merchants that store data or are processing via an internet connection.  When all criteria is met to satisfaction, a business will be certified PCI compliant.

5) “Where Should my Business go to get This PCI Certification?” 

Although in theory merchants could utilize any of the ASVs or possibly even self certify, the bank card processor is going to have a relationship with an ASV that they will want utilized.  When a merchant account is established, the provider will help establish a relationship with an ASV that will then report to them when the business is certified.  Communication may come directly from the ASV.  My personal recommendations for ASV’s are ControlScan and Justified Data Security.

6) “Alright then, what do I have to do to get PCI Compliant?” 

The ASV will give you their website with a secure login ID and password.  Login and do the SAQ, which is a series of questions that will assess card acceptance systems and evaluate risk.  If you are utilizing a POS system or processing through an internet connection, then a scan will be required as well.  A scan is a fairly simple press of a button that will allow the ASV to remotely search for security risks utilizing their software.  When the SAQ evaluation and the scan is passed, a PDF of a certificate is provided.  If utilizing the ASV recommended by the processor, they will automatically be notified and their systems will be updated.

7) “What if I Need Help With my SAQ?”

The ASV will provide you a phone number to their qualified customer service agents that can even help walk a merchant through the questionnaire quickly.   Unfortunately, neither the agent nor the bank card processor customer service can help with these issues as they are not approved vendors by the PCI Security Council.

8) “How much will this PCI Compliance cost?”

Pricing varies among ASVs and services required.  A small business can expect to be charged between $79 a year to $29.95 quarterly.  Although services come from an outside vendor, usually charges will come through the merchant account and will show up on the merchant statement.

9) “I have to do this PCI Compliance Questionnaire every year!?!”

Yes.  Being PCI Compliant is not a onetime event.  Security is an ongoing responsibility for merchants accepting cards.  Every year businesses will be contacted to re-validate their status.

Okay, that’s PCI in a nutshell.  Now, if you’re the type that likes paying taxes and find tax code interesting, you might also appreciate much more detailed information on PCI Security Standards by going directly to the official Security Standards site.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: