PCI compliance guide
Credit and debit cards are the most widely used customer payment methods available and continue to grow in popularity. They are faster to use than cash and make it possible to pay even when a customer and merchant are not face-to-face.
Because most companies now do business online or over the phone, card payments keep business moving, no matter where or how your customers pay their bills. Organizations need to offer card payments in order to build and maintain a credible business.
Digital payments however, do attract fraud. Anyone who takes card payments must handle card payment information responsibly to keep their customer information safe from being exposed. This is why Payment Card Industry (PCI) compliance rules were created.
of all payments made in 2021 were with a credit card, per a study by the Federal Reserve Bank of San Francisco.
The highest level since the study began in 2016.
What is PCI compliance?
Benefits of PCI compliance
The credit card payment system must operate safely for all consumers. To keep the system running smoothly, all merchants who take card payments must make security a priority. The results of card security aren’t wasted effort. PCI compliance offers several benefits:
Following PCI compliance protects sensitive data. But what is PCI data exactly and how does protecting it benefit your company?
The data related to PCI compliance is the information found on a credit card that can be stolen and used for fraudulent transactions. PCI compliance makes your company safer for customers to use, building up your reputation as a trusted merchant.
PCI Compliance Data
Companies need to worry about risk management for many reasons, such as insurance coverage or merchant services underwriting. The more risks a merchant takes, the harder it will be to find vendor partners to work with.
Following PCI compliance rules helps your business lower your risk so you stay in good standing with the providers and vendors you rely on to keep operations running.
Better customer experience
Payment vendors like PDCflow not only adhere to PCI requirements but also design workflows with the end user in mind. The right payment vendor makes paying not only safe, but simple too.
PCI compliance levels
Card brands like Visa and Mastercard don’t want their forms of payment to become a risk for customers to use. They want a safe, trusted environment so people can make a purchase without worry.
The purpose of different PCI compliance levels is to determine how much risk a company is exposing themselves (and customers) to during payment processing. The more transactions a company processes, the more likely they are to be targeted for data breaches, fraud and other issues.
Companies that process, handle and store the most sensitive credit card information are expected to adhere to the strongest standards of the four levels. The threshold for each level is as follows:
- PCI Compliance Level 1: Over 6 million transactions processed per year.
- PCI Compliance Level 2: 1 million to 6 million transactions per year.
- PCI Compliance Level 3: 20,000 to 1 million e-commerce transactions per year.
- PCI Compliance Level 4: Less than 20,000 e-commerce transactions processed per year and all other companies that process up to 1 million transactions per year.
credit card users in Q4, 2022 per Transunion.
An increase from the prior three years.
Responsibilities for each PCI compliance level
Most companies want to keep their PCI compliance requirements to a minimum. Using a payment processor that limits PCI scope is the best way for businesses to keep their customers safe while minimizing their own risk.
The responsibilities for each PCI compliance level are as follows:
- Level 1 Service Provider or Level 1 Merchant: certification requires an on-site assessment by a qualified security assessor.
- Level 2 - 4 Merchant: certification can be attained by self-assessment via the Self Assessment Questionnaire (SAQ).
Many companies fall under the rules for a level 2 - 4 merchant. However, the simple Self Assessment Questionnaire (SAQ) compliance is only available under a few conditions:
- The merchant has never experienced a data breach.
- The merchant must be using a Level 1 certified payment processor (like PDCflow).
- The merchant must process fewer than 6 million transactions per year.
Why choose a level 1 PCI compliant processor?
A level 1 compliant payment processor is a requirement for companies that hope to only complete an SAQ to comply with PCI standards. However, this relationship does more for merchants than just fulfilling a condition of compliance.
Trusted data security
Companies can only get a Level 1 certification through additional strict data management and digital security measures. If you choose a level 1 processor like PDCflow, your company can rely on your vendor to store, tokenize, and encrypt card data without having to do so in-house.
Less burden on internal IT
For small to midsize businesses, it’s important to stretch your resources as much as you’re able. This means finding ways to reduce employee workloads while keeping the business running smoothly.
Using a PCI DSS level 1 compliant processor is a way to reduce the amount of work your internal team must do year-round to help your business stay safe. Instead, your processor can handle the extra workload of year-round PCI compliance security.
How to stay PCI compliant
12 PCI DSS compliance requirements
- Install and maintain a firewall
- Change vendor-supplied defaults for system passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across public networks
- Protect all systems from malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by limiting its use to business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
What happens if you don't comply?
If your company does not comply with PCI standards, there are a few things that may happen:
- Fines and fees: If you don’t follow PCI compliance rules, your company may be charged between $5,000 and $100,000 a month in fines and penalties. The exact amount is determined by the size of the company, how severe the noncompliance issue is, and how long the company has been noncompliant.
- Data breach: The standards were created to reduce the likelihood of a merchant being targeted for a data breach. If your organization doesn’t properly handle credit card information, you are at risk of being hacked and having to handle the costly fallout that goes along with it.
- Possible lawsuits: If your company has mishandled customer data, stored card numbers improperly or hasn’t maintained other security measures to prevent a data breach, the customers impacted may have grounds for a lawsuit. This type of action damages a merchant’s reputation and could even cause a company to fail.
- Barred from taking credit cards: In some cases, a business may even be barred from accepting credit cards if they don’t follow compliance rules. This can be a huge blow for business operations and create dissatisfaction among customers who expect common payment options.
Using employee education to stay secure
No matter what level of security you are responsible for, it’s important to train your employees to keep consumer information of all types safe. Be sure that your employees understand their responsibility for protecting card data annually (or more frequently based on your company’s training schedule).
For companies with remote staff or those who accept transactions over the phone, you should use workflows that eliminate the need for customers to read their card information out loud.
Using email or text message payment requests like PDCflow’s Flow Technology allow customers to enter their own payment information, reducing the risk of staff mishandling data. You should implement the appropriate technology. Teach your employees how to use it and why it is important.
Common PCI compliance challenges
Work from home staff
Many companies offer fully remote positions or hybrid work schedules so employees don’t need to come to the office every day. It’s a common practice but can make payment security tricky. For PCI compliance in remote work, companies should:
- Ensure remote access is secure: Your organization should require employees to use secure internet connections and that access to sensitive work systems is protected through dual-authentication or other password requirements to prevent unauthorized access to customer data. Encourage using strong passwords and require staff to change passwords regularly.
- Promote data protection: Staff shouldn’t be able to view, retrieve, share or manipulate information they don’t need for their jobs. Make sure you limit what people can access. Making it easier to find the right information, files, or templates also reduces human error. Protecting access eliminates the chance to mishandle data your employee shouldn’t be able to see.
- Create rules for secure work spaces: Set privacy guidelines for home work spaces. Employees should enable locked work screens any time they are away from their work stations. They should have a private workspace, where no one walking past windows or doorways could easily see private information.
Payments over the phone
Taking card payments over the phone is a standard practice, but your organization should be careful of how you handle this practice. For example, many call centers record customer service calls to review later for training purposes.
Call recording causes problems if you let customers say a card number over the phone during an agent-assisted payment. Companies should not be recording calls when a customer reads out payment information verbally.
There are several types of software that solve this problem, like special call recording equipment. Payment processors or other customer management solutions may also offer protection.
For example, PDCflow’s Flow Technology lets agents send an email or text payment request to customers while still on the call. This way, customers can enter payment information without staff having to hear or key in private information – keeping PCI compliance scope to a minimum.
Level 1 PCI compliant payment processors should have security measures in place to handle and store credit card information. Taking advantage of this makes it unnecessary for most companies to capture and store card information internally.
Letting your payment vendor capture and store payment data on your behalf reduces risk and keeps customer information safe. Your vendor should adhere to common data security practices like:
- System scans
- Penetration tests
- External audits
Integration for PCI compliance
Many organizations have a customer management system or other software that holds most of their important business information. Often, though, these systems don’t come with a robust, compliant payment option (often they don’t include payments at all).
Companies that want or need payments in their system of record should look for PCI compliant payment systems that offer integrated options. There are several ways to integrate compliance features:
- Integrating pieces of functionality through API: Look for a processor that makes it simple to add a self-serve payment page to capture transactions. PDCflow offers the ability for merchants to access our open APIs for a simple, drop-in payment portal integration.
- Full integration through API: Look for a processor that provides API docs for a full payment integration. For example, PDCflow provides Secure entry overlay API documentation so companies can use the low-code and drop-in components to add PCI compliant payments into an existing system of record.
- Partner integration: For companies that don’t want to integrate in-house (or don’t have the resources to do so) many vendors have partner integrations already completed, so you can purchase a customer management solution with payments included.
- Integration requests: Many vendors are open to new integration relationships. If you’re interested in an integration but can’t do the work yourself, speak to your vendors and see if they will integrate to a PCI compliant payment system on your behalf.
Software for PCI compliance
PDCflow payment software offers security features that keep customer data secure and fulfill a number payment compliance requirements – including PCI compliance.
- Our Level 1 PCI compliant payment processing software tokenizes and encrypts all payment data, so customer information remains safe at rest, and in transit.
- PDCflow stores customer data on behalf of our clients, so organizations can accept debit and credit card payments without worrying about storage security.
- PDCflow’s Secure Entry Overlay technology captures card numbers using an invisible layer on your payment forms, so data can’t even be captured by your company’s systems. This guarantees your business won’t need to handle sensitive data.
- Our Flow Technology lets companies send a text or email payment request directly to consumers. The recipient can enter their own information, keeping it secure – even from your system of record and your employees – reducing risk and simplifying compliance.
Ensuring your organization is PCI compliant can be difficult. If you want simple, built-in tools to streamline your payment workflows and reduce your PCI compliance scope, talk to a PDCflow payment expert today.