How to Tell If Your Business Meets PCI Compliance

How to Tell If Your Business Meets PCI Compliance

The Payment Card Industry Data Security Standard, or PCI-DSS, is a security standard that must be met by all companies that handle, store, or transmit credit card data from the major card brands. It exists to protect consumers and minimize the potential damage associated with payment-related data breaches. 

PCI compliance refers to a company’s ongoing efforts to maintain the various physical and technological standards laid out in the PCI-DSS. The PCI-DSS has six goals and 12 requirements, covering everything from network security to physical access to company policies and more. There are also different levels of compliance, with any given merchant’s requirements determined by how many transactions they process and how they interact with card data. Needless to say, PCI compliance is complex, and that can cause problems since compliance is binary in nature – a merchant is either fully compliant or noncompliant. There is no middle ground.

 

What Happens if Your Business Isn’t PCI Compliant

There are a number of potential consequences for failing to meet PCI standards, and they all put your business at risk. First and foremost, non-compliant businesses represent unnecessary risk. The card companies and your payment processor aren’t interested in taking on risky merchants, so failing to meet the standard could cost your business its merchant account.

PCI compliance failure can also come with hefty penalties that depend both on the severity of your non-compliance and the length. Penalties start at $5000 to $10,000 per month for one to four months of non-compliance and grow to as much as $100,000 once a business has failed to comply for seven months. 

Finally, failure to comply puts your business at greater risk of a data breach. Between customer lawsuits, the damage to your reputation, and the cost of remedial action, a data breach has the potential to cost your company millions of dollars, with the average coming in at $4.24 million, according to IBM’s annual survey. 

 

How to Tell if Your Business is PCI Compliant

With so much at stake, taking your company’s PCI compliance seriously is a must. But, with so much to know and so few merchants having highly technical backgrounds, how do you determine if your business is compliant and, if not, what you need to do to meet the standard?

Determine Your PCI Compliance Level 

The first step is to determine what level of PCI compliance is required of your business. There are four compliance levels, each based primarily on your company’s annual transaction volume.

Level 1: 6 million+ card transactions processed annually. 

Level 2: 1 million to 6 million transactions processed annually.  

Level 3: 20,000 to 1 million transactions processed annually. 

Level 4: Under 20,000 transactions processed annually. 

A data breach also results in automatic level 1 status, regardless of transaction volume. The vast majority of merchants fall into levels two through four, which have less stringent compliance requirements due to lower risk.  

Complete a Self-Assessment Questionnaire

If you’re a level 1 merchant, you’ll have to have an assessment done by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) – professional security teams vetted and approved by the card companies. At any other level, you may only need to fill out an annual Self-Assessment Questionnaire (SAQ). The SAQ is an assessment tool designed to help smaller merchants analyze their data security in an efficient manner. But there are eight different types of SAQ, and the right one for your business is determined by how you interact with customer payment data. So, it’s important to ensure that you’ve identified both your correct compliance level, and the correct SAQ. 

Make Changes as Necessary

The self-assessment questionnaire will walk you through analyzing your company’s transaction security. If there are any gaps that would cause you to fall short of the standard, the SAQ will identify them. You will then be required to upgrade whatever aspect of your payment processing security fell short and redo the SAQ to show full compliance. 

 

How to Get Help with Achieving and Maintaining PCI Compliance

While the SAQ is a great tool to help businesses achieve and maintain the necessary standards, the complexity of PCI compliance means that many merchants never even make it to the right SAQ, if they even think about their PCI status at all. So, if you’re not sure how to get started, don’t know which level or SAQ applies to your business, or think you might need assistance with the process, what should you do?

The good news is navigating PCI compliance isn’t something you have to do on your own. Your payment processor may be able to offer the expert guidance you need to make PCI compliance less intimidating and help you meet the standard without pulling your hair out. If you’re in any way unsure about the PCI compliance process, your first call should be to your account manager. 

BAMS offers our merchants dedicated support by account managers that truly get to know their clients’ businesses inside and out. Our team has the knowledge and experience necessary to make achieving and maintaining PCI compliance a breeze. Better still, all BAMS merchants get access to our interchange-plus pricing – the lowest and most transparent transaction fee model in the industry. 

To find out more about how a BAMS merchant account can save you money on your monthly statements, offer you industry-best support, and make PCI compliance as easy as possible, get started with a comprehensive five-point price comparison today.