7 Questions You Probably (Should) Have About PCI Compliance
The PCI DSS has a set of guidelines that – although you might never have heard of them – you absolutely need to follow. The bad news: if you don’t follow the guidelines, you might have some fines coming your way. The good news: being PCI Compliant isn’t all that hard. Just tricky.
If you’ve arrived here from our email list, we hope that this can help shore up a few questions for you. If you’ve arrived from somewhere else, then it’s probably because you have these questions already. PCI Compliance is an important and nuanced aspect of your business.
I Use PayPal/Stripe/Another Payment Company - Do I Care?
If you’re using a Merchant Service Provider (MSP) like Stripe or PayPal to process your payments, then you can relax a lot about PCI Compliance. But you aren’t completely off the hook. Any business that accepts payments needs to be PCI compliant. So, you can imagine that businesses like PayPal and Stripe, which process millions of them every day, will already be doing as much as possible to stay PCI Compliant.
However, they can’t do all of the work for you. If you are processing payments through a server, that server needs to be secure – certifiably secure. We’ll talk a bit more about this later. You also can’t accept card numbers by email or text, even on secure servers. This exposes full card numbers, and isn’t PCI Compliant.
What Are PCI Levels?
PCI Levels describe the difference in standing between categories of companies. Levels are decided by 2 factors: recent data breaches, and the amount of card information that a company processes. There are 4 PCI Levels. A Level 1 company processes more than 6 million annual transactions; a Level 4 company processes less than 20,000 transactions annually.
Depending on the level of the company, the validation requirements of PCI Compliance are different. For example, a Level 1 company only needs to answer Self-Assessment Questions and go through an annual network scan. A Level 4 company must deliver an annual report on compliance.
Is It Better to Be Level 1 than Level 4?
Your level shouldn’t really have an effect on you. It would be better to be Level 1 than 4 because we’d all love to do 6 million sales this year. Other than that, there’s no reason to aspire to a higher level of PCI Compliance. Levels are meant to categorize businesses based on how important it is that their security is top-notch.
Think of PCI Levels as a risk assessment. If a small business has a data breach, it might affect a few hundred people. If PayPal has a data breach, it would affect just about everyone.
How Hard Is It To Be PCI Compliant?
Gaining and retaining PCI Compliance isn’t an overwhelmingly complex task. There are many security tools at our fingertips these days, and you’re probably already using most of them. A lot of PCI Compliance is in the validation for small businesses. As long as you’re aware of PCI Compliance and letting the PCI DSS know you know, you’re probably going to be okay.
How Is It Compliance Enforced?
PCI Compliance is enforced mostly by way of the network scans. You’ll see one about once quarterly, and be fined if you aren’t compliant. The PCI DSS run a scan by searching for business IPs and any web app URLs that they’re interacting with. This allows them to check how information is being processed, and who (if anyone) is processing in a way they don’t like.
Don’t think you can skirt around PCI Compliance, though. Enforcement is lax for a lot of companies, but the risk is not. Because of the inherent risk of not being PCI Compliant, you can expect to see a data breach if you aren’t. If that happens, you’ll find the PCI Compliance fees more tolerable than the legal fees.
What’s The First Thing I Need to Do?
The first thing you need to do to become PCI Compliant is to make sure you have an SSL Certificate for your website. If your website is secure, then you’re likely going to be okay. Getting an SSL is easy, and you can likely get one from your web host with a few button presses. (In fact, it’s unlikely that you don’t have one.)
Beyond that, everyone needs to do things a bit differently. You’ll have to give Self-Assessment a shot to see what you need.
Who Do I Ask More Questions To?
We can’t cover all the possible questions about PCI Compliance in one or even hundreds of articles. The topic is simple but each business is unique. Because of that, we know that there will be new questions all the time. If you have one, feel free to shoot them at us at GetPaid@DirectPaymentGroup.com.
We answer free of charge, and we answer because we want to. Direct Payment Group aims to enable your success however we can – answering emails is a simple way to do that.