If you have a business that accepts credit card payments, you need to know some of the basics of how credit card processing works. It’s probably not going to be the most thrilling part of being a business owner, but it’s important to understand for two major reasons: following legal guidelines and saving your business money. All in all, it will help you run a successful business.
Part of this equation is PCI compliance. Failure to follow PCI compliance can result in costly penalties or leave you easily subject to credit card fraud. In light of many recent security breaches across various industries, it’s more important than ever that businesses protect themselves. So let’s take a look at what PCI compliance is and what retailers must know about it.
PCI is a shortened acronym from PCI DSS, or, Payment Card Industry Data Security Standard. This security standard was instituted in 2004 and is updated regularly.
The current version is PCI DSS 4.0, which began to replace PCI DSS 3.2 in March 2022.This version will be implemented over the course of 18 months and will be v3.2 will be fully phased out by the beginning of 2025.
Like many payment regulations, it was created to protect both merchants and consumers. It is meant to protect against data breaches and other forms of payment fraud. Businesses must adhere to all PCI regulations in order to avoid costly fines, and to maintain the trust of their customers.
Today, PCI Compliance is regulated by the PCI SSC (Standard Security Council). This organization was founded by the main credit card associations – American Express, Visa, MasterCard, and Discover. Each credit card company can enforce the PCI standards however they see fit.
Why Was PCI Compliance Created?
In essence, PCI Compliance is meant to protect against both brick & mortar and eCommerce fraud. In doing so, it protects both the merchant and the shopper.
The merchant is responsible for creating a safe network. This includes building a firewall within the network to protect credit card information. It also requires basic password maintenance to foster a more dynamic network.
In order to ensure that these procedures are done universally by all retailers, PCI Compliance sets a standard for how retailers secure payment data. Big box retailers and mom and pop shops alike must abide by this set of rules.
What Are the Different PCI Standards?
PCI Compliance applies to merchants, as well as hardware manufacturers and software developers. Below, we’ve outlined several in more detail:
PIN Entry Device (PED) standards – PCI Compliance reaches companies that product PIN-accepted payment devices. This includes all EMV devices, but also swiped transactions at gas stations and ATMs.
Payment Application Data Security Standard (PA-DSS) – PA-DSS goes to the next level and regulates the software that stores cardholder information and data. PA-DSS is meant to protect this software from any security breaches.
Data Security Standard (DSS) – PCI DSS, as mentioned above, is the standard that each business must meet to stay within payment regulations. This is what retailers must pay close attention to, following strict procedural policies, security management, network safety, and software.
Different Levels of PCI DSS Compliance
Every business must adhere to PCI standards, but the standards will vary depending on the type of business you have and the brand of card that is facilitating the transactions. The various levels of PCI Compliance define how each business must proceed with their payment structure and security.
Level 1 – To qualify, a merchant must process at least $6 million of MasterCard or Visa transactions each year. For American Express the threshold is $2.5 million. For these businesses, it’s required that an onsite assessment is performed each year by an external party.
Level 2 – These retailers process $1-6 million in annual transactions. The American Express range is $50,000 to $2.5 million.
Level 3 – The third tier processes between $20,000 and $1 million. Level 3 is the lowest level for American Express – any business that processes less than $50,000 falls into this category.
Level 4 – Finally, level four is for businesses that process less than $20,000 each year.
Levels 2-4 typically only require an annual Self-Assessment Questionnaire (SAQ) required by their acquiring bank. Each credit card network advises that every business register individually to get accurate advice on the proper steps to ensure full compliance.
How a Retailer Becomes PCI Compliant
All businesses that store consumer card information must complete an annual SAQ. Some must also pass a PCI Security Scan each quarter. The various SAQs will depend on the type of payments that your business accepts.
SAQ A – Applies to all eCommerce merchants. The rest listed below are only for brick and mortar retailers.
SAQ B – Used only for merchants that don’t store any cardholder data onsite or in the cloud.
SAQ B-IP – This is completed if the merchant has an IP address connection with their payment processor and no electronic data storage.
SAQ C – For merchants that have their payment systems connected to the internet.
SAQ C-VT – Completed by retailers that manually enter one transaction at a time through a keyboard into a virtual terminal.
SAQ P2PE-HW – The most common SAQ, this is required for businesses that use hardware payment terminals with point-to-point encryption through a third-party provider/processor.
Most credit processors/merchant service providers complete this for their merchants automatically. Payment processors must use thorough data encryption and tokenization to protect all data through the entire exchange process. Tokenization replaces the cardholder data with a unique and encrypted token, making it impossible for someone to decrypt the sensitive information. Finally, this information should be stored in a secure cloud-based server.
Not only do retailers rely on consumer trust to ensure continued business success, but a failure to comply with PCI regulations can result in crippling fines. A breach of consumer data can cost businesses hundreds of thousands of dollars in fines. Moreover, poor data security practices can leave your business’s data itself vulnerable.
Retail stores are high priority targets for fraudsters. And we’ve certainly seen how it’s played out for some big retailers. Even if you only accept one type of credit card, you’re required to follow all PCI regulations to accept both online and in person payments. So make sure that you’re protected so business can thrive.
For more detailed information from each of the 4 major credit card associations, check out the links below:
Among other things, Michael writes about trends and tips in retail for KORONA POS. His focus is on bringing small business owners a more holistic approach to growth. In his spare time, you'll find him hiking somewhere in the southwest. Connect with him on LinkedIn.