PCI Compliance: Keeping Your Business Safe and Secure

In today's modern financial world, small business owners need to evolve technologically in order to thrive. Part of this evolution has included accepting online credit card payments. In our increasingly cashless society taking credit card payments benefits businesses by making purchases more convenient for customers and improves cash flow by expanding online purchases.

In order to take credit card payments, whether in person or online, your business must be able to ensure the customer's card data and personal information are safe. Following the Payment Card Industry (PCI) compliance standards developed by Visa, MasterCard, Discover, and American Express is the best way to protect your customer's data and protect your business from fraud liability.

This guide will walk you through the basics of PCI compliance so that you have a clear understanding of the following:

1. What is PCI Compliance?

2. How Does It Affect Your Business?

3. The Importance of Compliance

4. The Consequences and Penalties of Non-compliance

What is PCI Compliance?

Whenever your business accepts a credit card payment, sensitive data is received and processed. In order to use their networks to process payments, the major credit card brands (Visa, MasterCard, Discover, American Express) want to ensure that businesses are able to safely and effectively manage this data.

To do this, the major credit card brands have established standards known as the Payment Card Industry Data Security Standards (PCI-DSS). Any business that accepts even one credit card payment per year, whether online or in-person, is required to comply with PCI standards.

All businesses, regardless of size, are required to prove they are PCI compliant. This is done through a type of audit or assessment, which happens on an annual basis. The level of PCI compliance required varies based on your business size, type and industry.

How do You Know What Level of PCI Compliance Applies to Your Business?

Simply put, by how many credit card transactions your business runs.

Businesses are organized into 4 different compliance levels depending on processing volume. The higher the processing volume, the higher the level. For example, to be considered level 1, a business must process more than 6 million Visa transactions per year. To be considered level 4, a business must process less than 1 million Visa Transactions per year. PCI compliance validation requirements (what you must do to be considered PCI compliant) differ depending on what level your business is in.

How does PCI Compliance Affect Your Business?

As most small businesses in the USA are level 4, we will focus on those requirements. For these merchants (that's you), it has traditionally been up to individual processors and merchant service providers to determine validation requirements, or whether to validate PCI compliance at all. However, as of January of 2017, Visa requires validation for all businesses, including level 4 merchants.

That means small businesses at level 4 must complete an annual Self-Assessment Questionnaire and an Attestation of Compliance form annually.

In addition, if the business sells products online, a quarterly network scan by an approved scan vendor is usually required.

The Self-Assessment Questionnaire is a PCI Standard validation tool to assist merchants and merchant services providers (the company that gives you the card reader) in demonstrating their compliance with industry standards. According to the PCI Data Security Standard Guidelines, there are nine standard validation categories that apply. Because individual merchants are ultimately liable for fines and assessments, business owners should always refer to the PCI validation categories to select the SAQ and Attestation that best applies to their business. Basically, make sure you are compliant with the guidelines that most closely fit your business. There are many credit card processors and PCI compliance companies that can assist small businesses in navigating the often confusing world of Self-Assessment Questionnaires and other technical areas of PCI compliance. For more information about Self-Assessment Questionnaires, click here.

Why Are There PCI Compliance Costs or Fees?

Since Visa's 2017 decision requiring validation of every merchant, many credit card processors require validation through a licensed third party Qualified Security Assessor.

This is not expressly required by the credit card brands (although they strongly recommend it), but rather it is often a requirement of issuing banks that back credit card processors.

As a result, the PCI process usually requires business owners to pay some sort of fee along the way to cover the cost of the security assessment or as a penalty for non-compliance.

What are the PCI Compliance Costs or Fees?

The PCI Compliance Fees usually fall into 1 of 3 categories:

1. Fees Paid to Third Parties (Quality Security Assessors) to Verify PCI Compliance.

Most credit card processors require PCI validation through a third party Qualified Security Assessor. The cost of having a Qualified Security Assessor validate your Self-Assessment Questionnaire can range from $100-$500 per year, depending on which self-assessment your business is required to fill out. Many Qualified Security Assessors also offer educational programs, and will even walk you through the Self-Assessment Questionnaire (SAQ) and/or fill it out for you.

Some credit card processors partner with third party Qualified Security Assessor companies to handle all merchant SAQ validation. This can often provide customers with prices that are below the market average for SAQ validation.

For example, some ResNexus customers use Complete Merchant Solutions (CMS) and Authorize.net to process credit card payments. Because Authorize.net and CMS process payments for merchants in multiple industries and locations, their backing banks require each of their customers to validate their SAQ results through a third party provider. Both CMS and Authorize.net use a QSA company called Security Metrics. Due to this partnership, Security Metrics charges a low annual fee for SAQ validation.

Regardless of your credit card processor's relationship with Qualified Security Assessors, a business always has the option to find their own licensed assessor to validate their Self-Assessment Questionnaire.

In addition to QSA's, some credit card processors will also require businesses to perform a quarterly network scan through an Approved Scan Vendor. Prices for vulnerability scans range from $100-$200 per quarter. Keep in mind some Qualified Security Assessors are also Approved Scan Vendors and will be able to handle all of your needs. If you have additional questions regarding network scans, consult your credit card processor.

For more information about PCI Compliance Scanning Requirements, click here.

2. PCI Non-Compliance Fees to Credit Card Processors

Should a business fail to complete or validate an annual Self-Assessment Questionnaire, or if their answers on their SAQ indicate that their business is not PCI compliant, the business will often be charged a PCI non-compliance fee by their credit card processor.

A common rumor in the industry is that PCI non-compliance fees are required by the credit card brands. This is not true. Visa and MasterCard do not charge businesses or processors a fee for PCI non-compliance.

However, the card brands may impose compliance fines if non-compliance leads to a security issue or breach. These fines can be levied on both the merchant and credit card processor. In short, it is in the best interest of the credit card processor to do whatever it can to ensure its merchants are PCI compliant, and a PCI non-compliance fee is intended to do just that.

Each processor chooses whether to charge a PCI non-compliance fee, and if so, how much the fee is. PCI non-compliance fees typically range from $10 to $40 a month, but can go as high as $100 a month for certain processors. PCI non-compliance fees are often set higher than the costs of the annual validation as a way to motivate businesses to become PCI compliant.

3. PCI Compliance Fees

Most processors charge a PCI non-compliance fee for businesses that are not PCI compliant. But some also charge PCI compliance fees. These fees can also be called different names, such as a "security fee" or "regulatory fee." Regardless, these fees are not mandatory, and may or may not come with any added value.

PCI compliance fees are usually smaller than non-compliance fees, but their value is sometimes ambiguous. Some processors provide benefits for these fees such as support and guidance to business owners on how they can remain compliant. Some will even fill out the SAQ on behalf of their merchants. Some use the fee to cover the cost of third party validation of the business's annual SAQ.

However, there are processors that will simply charge the fee while providing little or no value. Unfortunately for small business owners, there is little recourse against these fees. There is currently no regulation that prevents processors from charging PCI compliance fees without providing any additional value. Business owners are encouraged to research how a particular processing company handles PCI compliance when they are deciding on which processor to use. Click here for more information about PCI compliance fees.

Conclusion

Maintaining PCI compliance is not always convenient, and the fees associated with it can be annoying and unexpected.

But PCI validation through a third party Qualified Security Assessor is the best way to protect your business from security threats such as data breaches and fraud. The costs associated with a breach can be huge, and generally far outweigh the costs of ensuring your business is PCI compliant.

PCI compliance is a very complex topic that goes much deeper than the overview that we have presented in this article. Your processor and/or Qualified Security Assessor should be able to help answer any additional questions you have about compliance and their requirements for your business. You can also explore PCI compliance more in depth at the resources listed below.

Sources:
https://www.cardfellow.com/blog/pci-compliance-is-required/
https://www.pcisecuritystandards.org/pci_security/completing_self_assessment
https://www.pcicomplianceguide.org/faq/

https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html
https://usa.visa.com/support/small-business/security-compliance.html#2