Blog
  /  
Security
  /  
Tackling PCI compliance requirements for small businesses

Tackling PCI compliance requirements for small businesses

Emily Alaniz, Contributing writer, BILL
illustrated padlock Header imageHeader imageHeader imageHeader image

When you hand your credit card over to a merchant, you hope they will keep your cardholder data safe. That’s what the PCI compliance requirements are designed to do: keep customer data from being exposed or falling into the wrong hands.

The founding members of the PCI (Payment Card Industry) are American Express, Discover Financial Services, JCB International, Mastercard, and Visa. They wanted people to be able to use credit cards without worrying about security, so they created a set of requirements to take care of cardholder data. Learn more about how these requirements apply to you, and how your business can become PCI compliant.

Highlights

  • The Payment Card Industry Data Security Standards (PCI DSS) help increase cybersecurity in your business in order to protect cardholder data.
  • PCI compliance requirements can be demanding, but they are necessary in order to make credit card transactions.
  • There are 12 PCI DSS requirements that keep cardholder data safe, including maintaining a firewall and testing security processes regularly.

What is PCI compliance?

PCI compliance describes companies that adhere to the Payment Card Industry Data Security Standards (PCI DSS) outlined by the PCI Security Standards Council. The standards cover many different aspects of cybersecurity that help protect the information of cardholders who make purchases from your business.

These standards apply to any business that accepts merchant transactions, and is likely required by your merchant service provider or payment service provider in order to complete credit card transactions. Basically, if your business accepts credit card payments, you need to be PCI compliant.

Steps to become PCI compliant

There are two main steps to becoming PCI compliant:

  1. Complete an assessment to determine overall security. Many small businesses qualify for a self assessment, depending on their level.
  2. Scan the network used to process payments. This usually requires help from a third party.

The kind of assessment your company needs to complete depends on your level. This level is decided based on the number of transactions your business completes each year.

The four levels

Level one: Businesses that process more than six million card transactions a year. This category also includes businesses that have experienced a data breach.

Level two: Businesses that process between one million and six million card transactions a year.

Level three: Businesses that process between 20,000 and one million card transactions a year.

Level four: Businesses that process less than 20,000 card transactions a year.

If you are level four, you can complete a self assessment questionnaire (SAQ). Companies at levels one, two, and three will need a third-party auditor to complete an assessment.

In order to remain PCI compliant, you must complete a reassessment of security practices every year to make sure you are following the 12 PCI DSS requirements.

What are the 12 PCI DSS requirements?

There are 12 requirements you need to meet in order to fit the PCI Data Security Standards. Think of this as your PCI compliance checklist.

  1. Use a firewall to protect cardholder information.
  2. Never use vendor-supplied defaults for passwords or any other security measures.
  3. Protect stored cardholder data.
  4. Encrypt any transmission of cardholder data across public networks.
  5. Protect systems from malware and keep antivirus software up to date.
  6. Create and use secure systems and applications.
  7. Restrict access to cardholder data to individuals who really need it.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track all access to network resources and cardholder data.
  11. Test security systems and processes regularly.
  12. Maintain an information security policy that applies to all personnel.

You can read the 12 PCI DSS requirements in full here.

The importance of PCI compliance for small businesses

PCI compliance helps protect your customers and your business. Customers can trust that companies following these rules will keep their data safe.

Also, your merchant service provider or payment service provider likely requires PCI compliance. If you accept credit card payments, it’s an essential part of doing business. If you don’t follow the proper procedure to meet PCI compliance standards, you may have to pay a PCI non-compliance fee or penalty.

Emily Alaniz, Contributing writer, BILL

Emily is a full-time senior writer at BILL. She has a bachelor's degree in English and has been writing copy for over a decade. Outside of work, she loves reading, traveling, and trying to look busy at the gym. In elementary school, her teachers kept saying “use your words”— which has been pretty helpful advice.

The information provided on this page does not, and is not intended to constitute legal or financial advice and is for general informational purposes only. The content is provided "as-is"; no representations are made that the content is error free.