We’ve been getting a lot of questions about PCI compliance lately. Questions like: Am I PCI DSS Compliant? What do I need to be compliant? How does this impact my business? We created this post to help you understand your PCI DSS Compliance requirements, comply with the rules, and ultimately safeguard your business and clients.
First Off, What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a set of standards, rules, and procedures designed to protect consumer data in credit and debit transactions and reduce expensive data breaches. Essentially, it’s a set of rules to maintain payment security.
The leading five Card Brands, Visa, MasterCard, Amex, Discover, and JBC, get really upset if you have credit card numbers scribbled on post-it notes, buried in your text messages, or anywhere they can be found by unintended parties. To help maintain payment security, they established the PCI Security Standards Council (PCI SSC) as a governing and administration entity, and it is responsible for all PCI rules and standards.
So, How Does PCI DSS Impact My Business?
Boulevard is a PCI DSS-approved Level 1 Service Provider. We manage payment processing for you and take the necessary steps to address certain PCI DSS requirements through our own efforts and by providing guidance to our customers.
However, partnering with a PCI DSS compliant provider does not automatically make you, as a business, compliant with PCI regulations. As a merchant who accepts credit/debit cards, you are still responsible for ensuring that your business is compliant with all current PCI requirements.
But What If I run a Solo or Small Operation?
Compared to larger merchants, smaller merchants typically have simpler environments with limited amounts of cardholder data and fewer systems that need protecting. This reduces your overall PCI compliance efforts, but you still need to comply.
What Steps Do I Need to Take to Become a PCI DSS Compliant Business?
Step 1: Follow PCI DSS Standards Requirements
PCI DSS standards cover technical and operational system components included in or connected to cardholder data. Here is a list of current requirements as of May 31, 2021, when this document was written:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.
This checklist is updated by PCI Security Council from time to time. Be sure to visit PCI Security Standards Council website to get the most up-to-date checklist for PCI DSS.
Step 2: Satisfy PCI Reporting Requirements
There are four levels of PCI compliance. Each level has unique reporting requirements based on your business’s total annual transaction volume and number of card transactions. You can find your reporting requirements below:
LEVEL 1
Applicability:
Any Merchant processing more than 6M transactions per year
OR
Any merchant that has had a data breach or attack that resulted in card data compromise
OR
Any merchant identified as Level 1 Card Brands
PCI Reporting Requirements:
Annually:
Report of Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) and signed by Officer of the company
Quarterly:
Network scan by Approved Scan Vendor (ASV)
LEVEL 2
Applicability:
Merchants processing 1M - 6M transactions
PCI Reporting Requirements:
Annually:
Report of Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) and signed by Officer of the company
Quarterly:
Network scan by Approved Scan Vendor (ASV)
LEVEL 3
Applicability:
Merchants processing 20K - 1M eCommerce transactions
PCI Reporting Requirements:
Annually:
Self-Assessment Questionnaire (SAQ) completed by merchant or by a Qualified Security Assessor (QSA). See more at Completing SAQ.
Quarterly:
Network scan by Approved Scan Vendor (ASV)
LEVEL 4
Applicability:
All other merchants
PCI Reporting Requirements:
Annually:
Self-Assessment Questionnaire (SAQ) completed by a merchant or by a Qualified Security Assessor (QSA). See more at Completing SAQ.
Quarterly:
Network scan by Approved Scan Vendor (ASV)
A complete list of Approved Qualified Security Assessors (QSAs) can be found here.
A complete list of Approved Scan Vendors (ASVs) can be found here.
How Much Will It Cost Me to Become PCI Compliant?
The cost of being PCI compliant depends on the size of your business and transaction volume, so it will vary from business to business.
If your business is not compliant with PCI standards, you could be at the risk of fines and penalties related to data breaches, card replacement costs, forensic audits, and investigations into your business. It could affect brand image and can have other consequences as well, so it’s not something you want to brush under the rug.
Anything Else I Need to Know?
We realize PCI Compliance isn’t the most exciting topic in the world, but it’s necessary to keep you and your clients protected and is a must if you have big plans for your career and business. So, don’t wait! Follow the PCI requirements today and lay the groundwork for your future success. To learn more about achieving and maintaining full PCI DSS Compliance, visit the PCI Security Standards Council website.
Boulevard offers a customer-centric, easy-to-use management platform for modern salons and spas. As a PCI DSS-approved Level 1 Service Provider, we manage your payment processing for you and help ensure your business is up-to-date with all requirements, so you can focus on honing your craft. Partner with a provider who has your back. Schedule your free demo today!