If you’re in charge of the decisions for your business, you’ve most likely heard the phrase “PCI Compliance” somewhere before. If your payment processor has told you they carry most of the burden of maintaining compliance, you may not give the subject much thought. But maybe you should.
While a PCI Compliant processor might offer features that ease merchant responsibility, you are still expected to take steps to maintain compliance when processing credit cards. Here are the ways a Level 1 PCI compliant processor like PDCflow makes compliance easier for you, and what additional steps your business is expected to take.
What is PCI Compliance?
PCI stands for Payment Card Industry. So PCI compliance is simply adhering to the rules the Payment Card Industry has mandated to keep a consumer’s data safe while they’re making payments with a card. Because it is important to keep consumer data secure, every merchant that processes cards is required to adhere to some level of compliance.
The four levels of compliance are based upon the volume your business processes per year, and the way transactions are processed. The more you process, the more you must do to ensure you are keeping Primary Account Numbers (PANs) secure, whether or not stored or processed, in conjunction with cardholder names, expiration dates and service code data.
What Does a Level 1 PCI Compliant Processor Do For You?
As mentioned above, PCI compliance is based upon volume processed. If you are a small or medium-sized business, your burden of compliance is less stringent than that of a large corporation.
Choosing a level 1 PCI Compliant payment processor that securely stores your credit card data can reduce the work you must do to remain compliant. You might not have considered, though, that level 1 compliance provides additional benefits and protections to your consumers.
PCI compliance requires any company that accepts credit cards to undergo an annual Self Assessment Questionnaire (SAQ). In addition to this, a Level 1 Compliant processor must undergo vulnerability scanning and penetration tests regularly, which provide an additional layer of protection. These procedures are very time consuming for the IT staff and very expensive to perform. Smaller merchants typically find that they can not feasibly arrange to process or store data in a way that will ensure consumer information remains safe.
In addition, small merchants who run their businesses from home, or even find themselves working from home occasionally, are at higher risk of data breaches than those with secure office internet connections. By leaving the storage and transmission of sensitive data to your payment processor, you keep consumers safe. This also reduces the risk of potential harm to your reputation after explaining a data breach to consumers who trusted you to protect them.
What You Need To Do To Stay Compliant
Choosing a Level 1 PCI compliant payment processor might cut down on the work you must to do as a merchant to maintain compliance. However, you are still expected to follow a few steps yourself.
- Annually fill out a self-assessment questionnaire (SAQ). This also reduces your PCI costs, since most merchant services providers charge a noncompliance fee if the SAQ is not completed. Most PDCflow clients qualify for the SAQ A, which generally takes about 10 minutes of your time to complete, when using FLOW - PDCflow's secure payment delivery technology .
- Find out if you are required to pass vulnerability scans. Only those merchants who electronically store or transmit unencrypted cardholder data would fall under this category.
- Complete an attestation of compliance.
- Safeguard credit card data. Due to the security risks it poses, though, it's best not to store data at all if your payment processor does this for you (this includes keeping hard copies of card information on file).
- Train your employees who handle sensitive card data.
By processing through PDCflow’s preferred provider, Newtek, PDCflow clients have access to Trustwave’s compliance portal, Trustkeeper. This allows the merchant access to policy and procedure documents, a wizard to assist you in filling out your appropriate SAQ, and provision of a PCI Compliance Certificate. You may use this on your website and provide it to your clients to prove your compliance status. Additionally, Newtek provides a $100,000 insurance policy to clients in the event of a security breach.
What Happens if You Don't Stay Compliant?
Now that you know what is required to stay compliant, what happens if you fail to do so?
If PCI compliance is not maintained, and there is a breach, it can result in fines between $5,000 and $100,000 a month. That’s a steep price to pay for negligence, or simple lack of knowledge about your responsibility as a merchant. Don’t risk falling out of compliance.
Download the PCI Compliance Guide:
Additional information on PCI compliance can be found here: https://www.pcicomplianceguide.org/
- ABOUT THE AUTHOR -
Hannah Huerta, Marketing Specialist
Hannah Huerta is a Marketing Specialist at PDCflow. She creates content for the accounts receivable and payment industry.